How to store private keys securely in AWS S3 for use with Elastic Beanstalk

The private keys that you use in a project should not be compromised with the source code. The best option is to configure Elastic Beanstalk to download the file from AWS S3 during the deploy of the application.

The following example shows an Elastic Beanstalk’s configuration file getting a private key file from an S3 bucket.

# .ebextensions/serverkey.config Resources: AWSEBAutoScalingGroup: Metadata: AWS::CloudFormation::Authentication: S3Auth: type: "s3" buckets: [ "elasticbeanstalk-region-account-id" ] roleName: "Fn::GetOptionSetting": Namespace: "aws:autoscaling:launchconfiguration" OptionName: "IamInstanceProfile" DefaultValue: "aws-elasticbeanstalk-ec2-role" files: # Private key "/etc/pki/tls/certs/server.key": mode: "000400" owner: webapp group: webapp authentication: "S3Auth" source: https://s3.amazonaws.com/elasticbeanstalk-region-account-id/server.key

The instance profile “aws-elasticbeanstalk-ec2-role” must have permission to read the key object from the specified bucket. Look here to see how to do it.

You made set the url with an environment variable like this:

Hope you have a good day!

Originally published at https://dev.to on May 24, 2019.