Sharing Secrets Between Environments

aws / copilot-cli

The AWS Copilot CLI is a tool for developers to build, release and operate production ready containerized applications on AWS App Runner or Amazon ECS on AWS Fargate.

https://aws.github.io/copilot-cli/

Apache License 2.0

3.42k stars 398 forks source link

Sharing Secrets Between Environments #2940

Open dereksdev opened 2 years ago

dereksdev commented 2 years ago

Is there a way to share secrets between environments? The requirement to tag each secret with copilot-environment leads me to believe this is not possible, but it would be useful for shared application secrets. I would like to be able to do the following:

set up an SSM parameter with only tag copilot-application set to my application name
reference the secret in the global secrets in manifest.yml:
```
secrets: 
SECRET_NAME: /copilot/app_name/secrets/SECRET_NAME
```
This process currently results in an error: ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secrets from ssm

iamhopaul123 commented 2 years ago

Hello @dereksdev. Yes you are correct it is not possible to define application level secrets in Copilot right now. This would be a feature request for us. Thank you for bringing up this feature and your use case for it!

bpottier commented 2 years ago

Just want to say I'd like to see this feature too. It would be useful for creating a single secret with credentials to a private Docker registry.

mnitchie commented 2 years ago

I'll add on that it would also be useful to share secrets across applications, as well. This is handy for multiple applications that might share the same database or for connections to a shared cache. Beyond the challenge of setting up duplicate secrets, this increases the burden of rotating secrets when necessary.

efekarakus commented 2 years ago

Thanks @mnitchie ! as a side-tangent, how do you deal with secrets rotation today for ECS tasks? do you force a new deployment when a rotation occurs or do you use another mechanism?

mnitchie commented 2 years ago

It's a little ad hoc at the moment. Sometimes I do what you suggested if I'm confident that won't break things with the already-deployed tasks, or if I'm planning to re-deploy right away. Once I created a second secret and changed the manifest to point to that instead of the old one, then re-deploy.

GearoidCollins commented 2 years ago

+1 to this. would love it 🙌 It would nicely clean up our secret store and manifest files 😄

jakequalia commented 2 years ago

+1 to this for me as well :). This would be a really handy feature and would make creating new environments super seamless! Has work on this feature request been started?

jakequalia commented 4 months ago

Any update on this?

ColeDCrawford commented 3 months ago

This would be really useful. We are adding Elasticsearch to several apps and just have one large cluster with a bunch of indices. We could just store the Elastic Cloud ID and password once each, but now it looks like I'll have to define multiple variables per application and per environment. And if I rotate those creds, will have to change them all individually ... could add some logic to the value parsing to split on commas or another delimiter? copilot-environment=dev,prod, and same for the apps?

Lou1415926 commented 3 months ago

@ColeDCrawford Makes sense to me! Another workaround I can think of is to tag a secret with something like "shared", and then give each of your app's EnvManagerRole access to secrets with that tag, using yaml patch.