Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to set environment variables from platform hooks in elastic beanstalk?

I am trying to deploy a django application using elastic beanstalk. The app connects to the database using the environment variables.

DATABASES = {
  'default': {
    'ENGINE': 'django.db.backends.mysql',
    'NAME': os.environ['RDS_DB_NAME'],
    'USER': os.environ['RDS_USERNAME'],
    'PASSWORD': os.environ['RDS_PASSWORD'],
    'HOST': os.environ['RDS_HOSTNAME'],
    'PORT': os.environ['RDS_PORT'],
  }
}

I don't want to set these variables explicitly in EB console or option_settings, as they would appear in EB console in plain text.

The RDS credentials are stored in AWS Secrets Manager. As EB doesn't support AWS secrets manager yet, I wrote a platform hook to fetch the secrets and export the credentials as environment variables.

django_app/.platform/hooks/prebuild/set_db_credentials.sh

#!/bin/sh

# fetch secrets from secrets manager and store in db_credentials.json
aws secretsmanager get-secret-value --secret-id="$RDS_SECRETS_ID" --region="$RDS_SECRETS_REGION" --query=SecretString --output text > db_credentials.json

# export as environment variables
export RDS_HOSTNAME="$(jq -r '.host' db_credentials.json)"
export RDS_PORT="$(jq -r '.port' db_credentials.json)"
export RDS_USERNAME="$(jq -r '.username' db_credentials.json)"
export RDS_PASSWORD="$(jq -r '.password' db_credentials.json)"
export RDS_DB_NAME="$(jq -r '.dbname' db_credentials.json)"

rm db_credentials.json

The hook is running fine but the environment variables are not available for the app. Does anyone know how to do this ?

like image 661
gowthz Avatar asked Oct 20 '25 16:10

gowthz


2 Answers

You could probably use a EB hook to create dynamically aws:elasticbeanstalk:application:environment .ebextensions config file.

So the idea is to create proper .ebextensions file for env variables using one of the EB hooks, before EB is going to read and execute your .ebextensions files.

like image 146
Marcin Avatar answered Oct 23 '25 05:10

Marcin


A work-around solution is to save your secret in config file inside your hook. Setting the variable in the bash scripts won't work since Elastic Beanstalk likely run hooks in different shells (and provides no support for secret management so far).

For instance if you are using docker (or any platform that automatically reads env variable from the a ".env" file) the solution described here will work. Saving it into an .ebextensions might also be a solution but it doesn't seem to work with docker platform.

like image 20
lmX2015 Avatar answered Oct 23 '25 06:10

lmX2015



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!