Containers

AWS App Runner now integrates with AWS Secrets Manager and AWS Systems Manager Parameter Store

AWS App Runner makes it easy to run web applications and APIs at production scale. It enables you to build, deploy, run, and observe web applications without the burden associated with infrastructure management. Many such applications externalize the storage of URLs, API keys, usernames, database secrets, and configuration parameters. Starting today, App Runner allows you to deploy and run applications while securely referencing configuration data stored in AWS Systems Manager (SSM) Parameter Store and AWS Secrets Manager.

Externalizing configurations improves the reusability and adaptability of code. Instead of embedding data into code, configuration and credentials are read at runtime. An external secure and auditable system stores configuration data. The benefit is now you can change variables at runtime without rebuilding code.

Consider the case of database credentials. If you store the database connection string and credentials in your code, when the database password changes, you’ll have to change the code. After that, you’ll have to rebuild and redeploy the code. By storing database credentials externally in a secure data store such as AWS Secrets Manager, you can avoid the step of rebuilding code when the database password changes. Once you change the secret in Secrets Manager, you can trigger a redeployment. When the code restarts, it gets an environment variable containing a new database password.

App Runner now allows you to reference secrets and configuration parameters stored in AWS Secrets Manager and AWS Systems Manager Parameter Store. Applications running in App Runner will have the data available as environment variables. Let’s explore the features using a sample application.

Externalizing configuration with AWS App Runner

We’ll use a NodeJS application for demonstration. The application persists data in an Amazon RDS database. We’ll store database credentials in AWS Secrets Manager and reference the secret when deploying the application. The sample application also stores configuration parameters in AWS Systems Manager Parameter Store.

The integration with AWS Systems Manager Parameter Store and AWS Secrets Manager allows you to change information dynamically without changing code. The approach is more secure as it hides confidential data from anyone inspecting your code. Meanwhile, confidential data is stored securely. And you have audit logs that record data access.

Architecture

The sample application runs a website for a fictional hotel. It is a NodeJS application served by Express web framework. We’ll use App Runner to run this application. The data persists in an RDS database.

As part of standing up the stack, we create the database and associated secrets and store them in AWS Secrets Manager. The application reads configuration parameters from environment variables. We’ll create a configuration parameter in AWS Systems Manager Parameter Store. During deployment, we’ll provide the ARN of the secret and parameter.

When App Runner starts an instance of the sample application, secrets and configuration parameters will be available as environment variables.

Walkthrough

You’ll need an AWS and a GitHub account to follow the example.

The sample application’s code is available in this GitHub repository. Clone  code for this demonstration.

```
git clone https://github.com/aws-samples/apprunner-hotel-app

```

We have included an AWS CloudFormation template that provisions a VPC, subnets, security groups, IAM roles, and an RDS database instance. A strong password is generated and stored in AWS Secrets Manager.

Sign in to your AWS account and select a Region where AWS App Runner is available. Then navigate to CloudFormation.

Click on Create stack and select With new resources (standard). For this post, we are using US East (N. Virginia)

On the next screen, select Upload a template file and click on the Choose file button. Navigate to the directory where you cloned the code. Upload infra.yaml. Click Next.

Besides necessary networking and security resources to run the Amazon RDS database, the template creates an IAM role that allows App Runner to publish logs to CloudWatch, traces to AWS X-Ray, read a secret from Secrets Manager, and a parameter store value from SSM Parameter Store.

Give the stack a name, such as apprunner-demo and click Next.

Enter a value for HotelNname. This value will be stored in AWS Parameter Store. App Runner will dynamically retrieve this value when it starts the web application. The CloudFormation template includes a default value.

Follow the prompts and acknowledge the IAM transforms to create the App Runner IAM instance role. Then click Create stack.

Once deployment finishes, go to the Outputs tab. You’ll find the ARNs of the database credentials (stored in Secrets Manager) and the hotel name (stored in Parameter Store). Take a note of these values. We’ll pass these values to the App Runner service later when deploying the web application.

Deploy the web application

Navigate to the App Runner console. Click on Create an App Runner service.

  • For repository type, select Source code repository.
  • Select your GitHub repository and the branch to use.
  • For Deployment settings, select Manual. Selecting Automatic will trigger a deployment on every push to this branch. Then click Next.

We need to configure the build and start commands. AppRunner will use these commands to build a container image, push it to Amazon Elastic Container Registry (Amazon ECR) and then deploy it.

  • Set the Runtime to Nodejs 16.
  • The Build command is npm install.
  • The Start command is npm start.
  • Port is 8080.
  • Then click Next.

The service settings page is where we configure the running version of your web application. We will set an environment variable that will contain the name of the secret in AWS Secrets Manager. We will also modify the networking configuration to use the VPC Connector to allow access to the database in the private subnet.

  • Enter a Service name,g., apprunner-demo.
  • Click Add environment variable.
  • Select Secrets Manager as the source. Enter MYSQL_SECRET as the environment variable name. Enter the value of DBSecret that was included in CloudFormation outputs.
  • Add another environment variable. But this time, select SSM Parameter Store as the source. The environment variable name is HOTEL_NAME. Enter the value of HotelName as shown in CloudFormation outputs.

The environment variable names are defined in the application source code. MYSQL_SECRET is retrieved in rds.js and HOTEL_NAME in config.js.

Expand the Security section and select the AppRunnerHotelAppRole from the dropdown.

In the Networking section, select Custom VPC. From the VPC Connector dropdown, select AppRunnerHotelApp-RDS-Connector. The UI will display details such as the VPC, subnets, and security groups associated with this connector.

Expand the Observability section and enable Tracing with AWS X-Ray.

Then click Next and review the setup. If everything looks good, scroll down and click the Create & deploy button.

On the service dashboard page, in the Service overview section, monitor the service status. The service is live and ready to process requests when the status turns to Running.

Click on the Default Domain URL to open the web application in a new tab. You’ll see the AWS App Runner Hotel application.

Navigate to “/params” path. It is a page that lists the configuration parameters and secrets the application read from environment variables.

The application is successfully able to read parameters and secrets. If application configuration or database secrets change, you can trigger a redeployment (or pause and resume it). Whenever the application starts, it gets the latest data as stored in the Parameter Store or Secrets Manager.

Clean up

Follow these steps to clean up the resources we provisioned.

  1. Go to the App Runner service. Click on Actions and then
  2. Go to CloudFormation and select the stack we deployed earlier, apprunner-demo. Click Delete.

Conclusion

In this blog post, we walked you through the process of securely deploying a web application using App Runner using AWS Secrets Manager to manage Amazon RDS credentials. We provided a CloudFormation template to provision all the underlying resources.

You can now use App Runner to simplify and accelerate the deployment of your containerized web applications and APIs with security best practices in place.