AWS Elastic Beanstalk now integrates with AWS Secrets Manager and Systems Manager Parameter Store

AWS Elastic Beanstalk provides deployment and management capabilities for web applications and services. The Elastic Beanstalk service handles operational tasks including load balancing, scaling, and monitoring while users focus on their application code.

Elastic Beanstalk allows applications to access configuration data through key-value pairs in environment properties. However, this approach has certain limitations – environment variables are restricted to 4096 bytes, stored as plain text, and lack built-in encryption. These constraints can affect how customers manage sensitive data like credentials and API keys.

Some customers choose EB extensions to fetch the secrets and configurations to make it available to applications as a part of environment variables. But this is an additional piece of code that customers need to develop, manage and package inside application archive files, which can be avoided if Elastic Beanstalk provides this support natively. When the configuration or secrets change, customers need to perform an application deployment with a new application package even though no application code has been changed.

AWS Elastic Beanstalk now offers integration with AWS Secrets Manager and AWS Systems Manager (SSM) Parameter Store (Parameter Store) for configuration management. This integration enables applications to access stored parameters through environment variables. In this post, we will explore the three different configuration options using a sample application.

Overview

This demonstration explores configuration management techniques within a .NET 8 MVC application, implementing three distinct configuration sources:

1.  Standard environment variables using the existing key-value functionality of Elastic Beanstalk

2. Configuration parameters maintained in Parameter Store

3. Secure credentials stored in Secrets Manager

The application demonstrates integration capabilities by retrieving and displaying values from these sources. This approach showcases how modern applications can leverage both traditional environment variables and AWS Elastic Beanstalk’s advanced features for robust configuration management.

Figure 1: Elastic Beanstalk application that references Parameter Store and Secrets Manager

Prerequisites

For this walkthrough, you should have the following prerequisites:

• An active AWS account
• A user with permissions to create and manage AWS resources, including:
  • Elastic Beanstalk
  • IAM Roles
  • AWS Systems Manager Parameter Store
  • AWS Secrets Manager
• Visual Studio installed on your development machine
• AWS Toolkit for Visual Studio installed and configured
• Familiarity with the Elastic Beanstalk service

Step 1: Create a .NET application and an environment

Using the Getting Started with Elastic Beanstalk section of the Elastic Beanstalk Developer Guide, create an example application with .NET 8 running on 64-bit Amazon Linux 2023 as the platform.

Figure 2: Review Elastic Beanstalk .NET application configuration

Step 2: Deploy a .NET application

In this step, you’ll deploy the .NET MVC application to AWS Elastic Beanstalk.

1. Create a new ASP.NET Core Web Application
2. Select the Model-View-Controller template and target .NET 8.0.
3. Right-click the project and choose Publish to AWS.
4. Choose Publish to Existing Target – Getting-started-app-env created in Step 1.
5. Choose the domain endpoint and load the site.

Figure 3: .NET MVC Application deployed to Elastic Beanstalk Environment

Step 3: Deploy a new version of the application

Next, modify the index page to retrieve environment variables and deploy it to Elastic Beanstalk to demonstrate different environment types.

1. Replace the code in Views/Home/Index.cshtml with the following code:

@{
    ViewData["Title"] = "Home Page";

    var PLAIN_TEXT = Environment.GetEnvironmentVariable("PLAIN_TEXT") ?? "Not Available";
    var PARAM_STORE = Environment.GetEnvironmentVariable("PARAM_STORE") ?? "Not Available";
    var SECRET_VALUE = Environment.GetEnvironmentVariable("SECRET_VALUE") ?? "Not Available";

}

<div class="text-center">
    <h1 class="display-4">Environment Variable - Demo</h1>
    <h2>Source - Plaintext</h2>
    <p>Value of Plaintext - ENV is: @PLAIN_TEXT</p>
    <h2>Source - Param Store</h2>
    <p>Value of Param Store - ENV is: @PARAM_STORE</p>
    <h2>Source - Secret Store</h2>
    <p>Value of Param Store - ENV is: @SECRET_VALUE</p>
</div>

2. Right-click the project and choose Publish to AWS.
3. Click the domain endpoint and load the site.

The application code displays either the environment variable (if available) or Not Available.

Figure 4: Retrieving default value

As there is no environment variable yet, we see Not Available. We will work on adding all kinds of environment variables.

Step 4: Add a plain text environment variable

In this step, you’ll add a plain text environment variable and preview the application.

1. Navigate to Environment Configuration page of Getting-started-app-env.
2. Configure the Elastic Beanstalk environment properties:

Figure 5: Plain text in Environment properties

3. Choose Apply and wait for the environment update.
4. Preview the environment to verify that the plain text value has been retrieved.

Figure 6: Retrieving plain text environment variable

Step 5: Reference a Parameter Store Parameter

In this step, you’ll create a parameter in the parameter store and then reference it from within the application.

1. Create a Parameter Store parameter in the AWS Console
   1. Follow the AWS User Guide for Creating a Parameter Store parameter using the console.
   2. Choose Name as getting_started_name.
   3. Choose Value as getting_started_value.
   4. Copy and save the parameter’s Amazon Resource Name (ARN) for later use.
2. Update the EC2 IAM role, add permissions to access the parameter created in step 5-1.

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:ssm:us-east-1: 111122223333:parameter/getting_started_name"
            ]
        }
    ]
}

3. Configure the Elastic Beanstalk Environment Properties

Add a new property with:

• Source: Parameter Store
• Name: PARAM_STORE
• Value: [paste the ARN copied from step 5-1d]

Figure 7: Parameter Store source environment properties

4. Choose Apply and wait for the environment update
5. Preview the environment to ensure plain text value and Parameter Store value are available.

The application code retrieves and displays two environment variables: PLAIN_TEXT (plain text key-value pair) and PARAM_STORE (parameter store reference).

Figure 8: Retrieving plain text and Parameter Store environment variables

Step 6: Reference a secret from Secrets Manager

In this step, you’ll create a secret in Secret Manager and then reference it from within the application.

1. Create a Secret in AWS Secrets Manager

Follow the AWS User Guide for Create an AWS Secrets Manager secret.

1. 1. Select Other type of secret.
   2. In the Plaintext tab under Key/value pairs, enter: {"username": "ExampleUserId1", "password": "EXAMPLEPASSWORD"}.
   3. Choose the name as getting_started_secret.
   4. Note down the ARN after creation.

Figure 9: Secrets in AWS Secrets Manager

2. Update EC2 IAM Role to add permissions to access the secret created in step 6-1.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:secretsmanager:us-east-1: 111122223333:secret:test-fb0jMB",
                "arn:aws:kms:us-east-1: 111122223333:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
            ]
        }
    ]
}

3. Configure Elastic Beanstalk Environment Properties. Add a new property with:

• Source: Secrets Manager
• Name: SECRET_VALUE
• Value: [paste the ARN copied from Step 6-1d]

Figure 10: Secrets Manager Source Environment Property

4. Choose Apply and wait for the environment update.
5. Preview the environment to ensure the Plain text value, Parameter Store value, and Secrets Manager value are available.

Figure 11: Retrieving plain text, Parameter Store and Secrets Manager environment variables

The application code retrieves and displays three environment variables: PLAIN_TEXT (a plain text key-value pair), PARAM_STORE (a parameter store reference), and SECRET_STORE (a secret manager).

Step 7: Refreshing the Config values in the Environment

Elastic Beanstalk retrieves parameters during instance deployment. When customers rotate or update values in AWS Secrets Manager or Parameter Store, the current Elastic Beanstalk environment variables retain the old values. During a scale-out event, new instances will retrieve the new values, while existing instances will continue to use the old values.

To fetch the latest version of secrets from the secret store, customers must trigger RestartAppServer or UpdateEnvironment.

We will update the environment values and restart app server(s) in the console to get the new values.

1. Follow Update the value for an AWS Secrets Manager secret (created in Step 6-1) with the value {"username":"ExampleUserId1","password":"UPDATEDPASSWORD"}.
2. Update the parameter store value (created in Step 5-1) with the value getting_updated_value.
3. Restart Elastic Beanstalk environment
   1. Navigate to the Elastic Beanstalk service page in the console
   2. In the navigation pane, choose Environments – Getting-started-app-env (created in the Create a .NET application and an environment section), and then choose the name of your environment from the list.
   3. Choose Actions, and then choose Restart app server(s)
4. Access the Elastic Beanstalk environment URL to confirm the new values.

Figure 12: Retrieving updated values from Parameter Store and Secrets Manager

Clean up

Follow these steps to clean up the resources you provisioned.

1. Navigate to the Elastic Beanstalk Console and delete the Application getting-started-app.
2. Navigate toAWS SSM, choose parameter store and delete the parameter created getting_started_name.
3. Navigate to AWS Secrets Manager and delete the secret getting_started_secret.

Conclusion

In this blog post, we explored how the new features in AWS Elastic Beanstalk enhance configuration management. Customers can now choose from three configuration sources: Plain text, AWS Secrets Manager, and Systems Manager Parameter Store.

The options enhance environment variable management by removing the 4096 character size limit and providing secure storage through Parameter Store/Secrets Manager. They offer centralized management of sensitive data with encryption, rotation capabilities, and audit features. The system ensures consistent configurations across environments while improving security, scalability, and maintainability through separation of concerns. This approach simplifies credential management and supports compliance requirements through comprehensive monitoring and access controls.

Ready to modernize your application deployment? Start using AWS Elastic Beanstalk today.