How should secret files be pushed to an EC2 (on AWS) Ruby on Rails application?

amazon-web-services amazon-s3 ruby ruby-on-rails amazon-ec2

Smells like a typo.

The instructions you linked to say, in relevant part:

Customizing your AWS Elastic Beanstalk environment when you deploy your application requires two steps:

  1. Create a configuration file with the extension .config and place it in an .ebextensions top-level directory of your source bundle. You can have multiple configuration files in your .ebextensions directory. These files are executed in alphabetical order. For example, .ebextensions/01run.config is executed before .ebextensions/02do.config.

However, you said you placed the .config file in a .elasticbeanstalk directory. Try fixing the directory name.


It is possible (and easy) to store sensitive files in S3 and copy them to your Beanstalk instances automatically.

When you create a Beanstalk application, an S3 bucket is automatically created. This bucket is used to store app versions, logs, metadata, etc.

The default aws-elasticbeanstalk-ec2-role that is assigned to your Beanstalk environment has read access to this bucket.

So all you need to do is put your sensitive files in that bucket (either at the root of the bucket or in any directory structure you desire), and create a .ebextension config file to copy them over to your EC2 instances.

Here is an example:

# .ebextensions/sensitive_files.config

Resources:
  AWSEBAutoScalingGroup:
    Metadata:
      AWS::CloudFormation::Authentication:
        S3Auth:
          type: "s3"
          buckets: ["elasticbeanstalk-us-east-1-XXX"] # Replace with your bucket name
          roleName: 
            "Fn::GetOptionSetting": 
              Namespace: "aws:autoscaling:launchconfiguration"
              OptionName: "IamInstanceProfile"
              DefaultValue: "aws-elasticbeanstalk-ec2-role" # This is the default role created for you when creating a new Beanstalk environment. Change it if you are using a custom role

files:
  /etc/pki/tls/certs/server.key: # This is where the file will be copied on the EC2 instances
    mode: "000400" # Apply restrictive permissions to the file
    owner: root # Or nodejs, or whatever suits your needs
    group: root # Or nodejs, or whatever suits your needs
    authentication: "S3Auth"
    source: https://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-east-1-XXX/server.key # URL to the file in S3

This is documented here: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-storingprivatekeys.html


You can run a bash script and have all the files you need downloaded from S3 using a command line utility such as s3cmd.

I have written a series of articles that cover the customization of AWS Elastic Beanstalk.

For the details about downloading files from S3 you can refer to http://www.hudku.com/blog/security-credentials-setup-customizing/#aws-credentials-setup.sh

Related

mdadm: Disk configuration by UUID
Websphere JSESSIONID cookie overwrite between two apps on the same domain (different ports / context roots)
Is "inet addr" my or "bcast" my machine's actual IP? [closed]
rsync copies unmodified files between different file systems
Way to ungroup printers when multiple printers share the same IP/port?
Creating new MySQL user... password and privileges not sticking
Multiple HTTPS servers for single website, and single IP?
sendmail config, making open relay
Mount EncFS at boot
Azure VM : Connection refused by host
Tridion 2011 SP1 UGC
Yum update notification when logging on to CentOS server remotely