What’s the best way to set ENV variables in an EC2 production server?
I was considering using Figaro, but not sure if anything inside of AWS takes care of this.
Thanks, Joe
You can still utilise encrypted credentials
There are a number of ways to do this depending on your particular setup (eg. If you’re running ECS or not). That said, two common approaches are AWS Secrets Manager (credential password management - AWS Secrets Manager - Amazon Web Services) and AWS Parameter Store (AWS Systems Manager Parameter Store - AWS Systems Manager).
1 Like
Thanks, I am using encrypted credentials on the aws server.
In your case, no matter if you are using encrypted credentials or .env file, your only attack surface becomes physical access to the EC2 instance.
To minimize the risk, least secure to most secure:
- Limit access to the production server to only one person (or emergency backup if necessary) and rotate the key often.
- Use encrypted credentials file instead of .env file (which you already are), and Key Storage service (from Amazon for example, Key Usage — AWS Key Management Service — Amazon Web Services) to access your Master Key.
- Use code deploy service (AWS CodeDeploy | Automated Software Deployment) to publish changes in conjunction with #2, thus avoiding personal access entirely.
All of these, ultimately, can be hacked and broken, especially if your root access key gets exposed.
For things that are instance dependent (puma concurrency, max thread, sidekiq workers, log levels, etc.), we use the rbenv-vars plugin to insert a .env-vars file in the prooject root.