Github secrets become public env variables in AWS console

[ccastaneda-gap]

Github secret values are exposed as environment variables in AWS App Runner console, everyone can access them. Am I missing something?

[hariohmprasath]

Hi @ccastaneda-gap, Can you provide a bit more context around this? Can you post your github workflow definition file so we can understand whats the issue here?

[thomas-leidinger]

We do have the same issue.

At the beginning we define the env variables with Github Secrets, e.g.

env:
  AWS_REGION: eu-central-1
  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_S3_ACCESS_KEY_ID }}

They get passed into AppRunner

      - name: Deploy to App Runner Image
        uses: awslabs/amazon-app-runner-deploy@main
(...)
        with:
          copy-env-vars: |
              AWS_REGION
              AWS_ACCESS_KEY_ID

In AWS Console of AppRunner they get shown in plain text. Is there an option to pass in environment variables from SecretsManager or SSM Parameter Store instead?

[DmitryGulin]

You can use copy-secret-env-vars configuration parameter to pass a set of existing Secrets Manager or SSM Parameter Store ARNs. This configuration parameter value is mapped to the RuntimeEnvironmentSecrets API parameter when creating a new AppRunner service. You can read more about RuntimeEnvironmentSecrets parameter behavior for Image and Code source configuration.

        env:
          SECRET_ENV: ${{ secrets.AWS_SECRET_ARN }}
        with:
          copy-secret-env-vars: |
            SECRET_ENV            

[ItamarSmirra]

Hi! I want to pass to my AppRunner service secret env variable called AWS_ACCESS_KEY_ID (and secret access key and reagion too...) for the service to be able to integrate with my S3 bucket. My problem is that in my workflow, define does env variables overrides the aws credentials my job needs to be able to deploy the service to the AppRunner. It doesn't has permissions to do so since my S3 credentials points to different IAM account that has no permissions to the S3.

Any ideas?