Configure ECS to Deploy Updated LibreChat with JWT Support

[AliSMAmin]

Discovery:

The updated LibreChat application now supports JWT authentication, requiring changes to the deployment configuration on Amazon ECS. Environment variables related to JWT authentication (e.g., secret keys, token expiration settings) must be properly configured and securely stored in the ECS environment to ensure smooth deployment and operation of the updated version of LibreChat.

Problem Definition:

The current ECS configuration does not account for the new JWT authentication requirements. Environment variables such as the JWT secret key and token expiration time need to be added to the ECS task definition and managed securely. Without updating the ECS configuration, the application will not function correctly in the production environment.

Motivations:

By updating the ECS configuration to support JWT authentication, we can:

• Ensure the proper deployment of the updated LibreChat with the required JWT authentication capabilities.
• Securely manage environment variables for JWT secret keys and related settings, minimizing security risks.
• Maintain consistency between the local development environment and the production ECS deployment.

Proposed Solution:

1. Update ECS Task Definition:

   • Modify the ECS task definition to include the following new environment variables required for JWT authentication:
     • JWT_SECRET_KEY: The secret key used for signing and validating JWT tokens.
     • JWT_EXPIRATION: The token expiration time (e.g., "24h" for 24 hours).
   • Ensure these environment variables are securely stored using AWS Secrets Manager or SSM Parameter Store, and that the ECS task can access them at runtime.

2. Use Secure Secrets Management:

   • Ensure that sensitive environment variables, such as the JWT_SECRET_KEY, are not hard-coded in the task definition or Docker container. Instead, use AWS Secrets Manager or SSM Parameter Store to inject these variables securely into the ECS tasks.
   • Update the ECS task definition to retrieve the secrets from AWS Secrets Manager or SSM Parameter Store during task execution.

3. Test JWT Authentication in ECS:

   • After deploying the updated task definition, test the JWT authentication flow in the ECS environment to ensure the tokens are validated correctly and that users can authenticate successfully.
   • Test token expiration and renewal (if applicable) to confirm that the JWT configuration works as expected in the deployed environment.

4. Update CI/CD Pipeline (if needed):

   • If environment variables or secrets are set up through CI/CD, ensure that the pipeline correctly passes the necessary JWT configuration settings during deployment.
   • Verify that the CI/CD pipeline triggers a redeployment of the ECS service after the task definition is updated.

5. Add Monitoring and Logging:

   • Ensure that logging and monitoring are enabled for JWT-related authentication failures or issues, such as token validation errors or missing environment variables, via Amazon CloudWatch.
   • Add CloudWatch metrics and alarms for key indicators (e.g., JWT validation errors, ECS task failures) to monitor the health of the JWT authentication in production.

Definition of Done:

• [ ] ECS task definition is updated with environment variables required for JWT authentication (e.g., JWT_SECRET_KEY and JWT_EXPIRATION).
• [ ] Environment variables for JWT authentication are securely managed using AWS Secrets Manager or SSM Parameter Store.
• [ ] The updated LibreChat application with JWT support is successfully deployed to ECS, and JWT authentication works as expected in the production environment.
• [ ] Logging and monitoring are configured to track JWT-related issues in the ECS deployment.

Additional Information:

• Secrets Management: Ensure that the JWT_SECRET_KEY is stored securely in AWS Secrets Manager or SSM Parameter Store, and that permissions are correctly set up to allow the ECS task to retrieve the secret.
• Testing: Conduct thorough testing after deployment to confirm that JWT authentication functions as expected, including token validation, user creation, and token expiration.

[tomasvalererealms]

time 2

Tasks updated for the log in override