Posted On: Jan 6, 2023

AWS App Runner now supports retrieving secrets and configuration data stored in AWS Secrets Manager and AWS Systems Manager (SSM) Parameter Store in an App Runner service as runtime environment variables. App Runner makes it easier for developers to quickly deploy containerized web applications and APIs to the cloud, at scale, and without managing infrastructure. Many web applications and APIs access sensitive information such as database credentials and API keys to connect to downstream systems. Some developers prefer to decouple the management of sensitive information from application code to improve code re-usability and reduce operational overhead of updating and re-building application code to update secrets and configuration data. Now, you can securely reference secrets and configuration data stored in Secrets Manager and SSM Parameter Store as runtime environment variables in your App Runner service. This allows you to manage your sensitive information separate from the application code and service configuration, helping you enhance the security posture of applications running on App Runner.

This feature is supported by all App Runner interfaces such as App Runner console, AWS Copilot CLI, and App Runner API. To pass secrets or configuration as environment variables to App Runner services using the App Runner console, select the source of environment variable (Secrets Manager or SSM Parameter Store) in service settings, pass the environment variable name, and environment variable value as Amazon Resource Name (ARN) of the resource stored in Secrets Manager or SSM Parameter Store. You need to update your IAM role with required policies to allow App Runner access your referenced resources in Secrets Manager and SSM Parameter Store. To learn more about passing environment variables in an App Runner service, see environment variables section in the developer guide and feature deep dive blogpost. To learn more about App Runner, see the AWS App Runner Developer Guide.