Referencing sensitive data as environment variables Considerations Permissions

Referencing environment variables

With App Runner, you can reference secrets and configurations as environment variables in your service when you create a service or update a service.

You can reference non-sensitive configuration data such as timeouts and retry counts in Plain Text as key-value pairs. The configuration data that you reference in Plain Text isn't encrypted and is visible to others in App Runner service configuration and application logs.

Note

For security reasons, don't reference any sensitive data in Plain Text in your App Runner service.

Referencing sensitive data as environment variables

App Runner supports securely referencing sensitive data as environment variables in your service. Consider storing the sensitive data that you want to reference in AWS Secrets Manager or AWS Systems Manager Parameter Store. Then, you can securely reference them in your service as environment variables from App Runner console or by calling the API. This effectively separates secret and parameter management from your application code and service configuration, improving the overall security of your applications running on App Runner.

Note

App Runner doesn't charge you for referencing Secrets Manager and SSM Parameter Store as environment variables. However, you pay standard pricing for using Secrets Manager and SSM Parameter Store.

For more information about pricing, see the following:

The following is the process to reference sensitive data as environment variables:

Store sensitive data, such as API keys, database credentials, database connection parameters, or application versions as secrets or parameters in either AWS Secrets Manager or AWS Systems Manager Parameter Store.
Update the IAM policy of your instance role so App Runner can access the secrets and parameters stored in Secrets Manager and SSM Parameter Store. For more information, see Permissions.
Securely reference the secrets and parameters as environment variables by assigning a name and providing their Amazon Resource Name (ARN). You can add environment variables when you create a service or update a service's configuration. You can use one of the following options to add environment variables:
- App Runner console
- App Runner API
- apprunner.yaml configuration file
Note
You cannot assign PORT as a name for an environment variable when creating or updating your App Runner service. It's a reserved environment variable for App Runner service.

For more information on how to reference secrets and parameters, see Managing environment variables.

Note

Since App Runner only stores the reference to secret and parameter ARNs, the sensitive data isn't visible to others in the App Runner service configuration and application logs.

Considerations

Make sure that you update your instance role with appropriate permissions to access the secrets and parameters in AWS Secrets Manager or in AWS Systems Manager Parameter Store. For more information, see Permissions.
Make sure that AWS Systems Manager Parameter Store is in the same AWS account as the service that you want to launch or update. Currently, you can't reference SSM Parameter Store parameters across accounts.
When the secrets and parameter values are rotated or changed they are not automatically updated in your App Runner service. Redeploy your App Runner service as App Runner only pulls secrets and parameters during deployment.
You also have the option to directly call AWS Secrets Manager and AWS Systems Manager Parameter Store through the SDK in your App Runner service.
To avoid errors make sure of the following when referencing them as the environment variables:
- You specify the right ARN of the secret.
- You specify the right name or ARN of the parameter.

Permissions

To enable referencing secrets and parameters stored in the AWS Secrets Manager or SSM Parameter Store, add appropriate permissions to the IAM policy of your instance role to access Secrets Manager and SSM Parameter Store.

Note

App Runner can't access resources in your account without your permission. You provide the permission through updating your IAM policy.

You can use the following policy templates to update your instance role in the IAM console. You can modify these policy templates to meet your specific requirement. For more information about updating an instance role, see Modifying a role in the IAM User Guide.

Note

You can also copy the following templates from the App Runner console when creating the environment variables.

Copy, the following template to your instance role to add permission to reference secrets from AWS Secrets Manager.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "kms:Decrypt*"
      ],
      "Resource": [
        "arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret_name>",
        "arn:aws:kms:<region>:<aws_account_id>:key/<key_id>"
      ]
    }
  ]
}

Copy the following template to your instance role to add permission to reference parameters from AWS Systems Manager Parameter Store.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameters"
      ],
      "Resource": [
        "arn:aws:ssm:<region>:<aws_account_id>:parameter/<parameter_name>"
      ]
    }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Deletion

Manage environment variables