Storing the connection string in Amazon S3 - AWS Elastic Beanstalk

Storing the connection string in Amazon S3

One alternative, though not optimal, is to provide connection information to your application with environment properties. This keeps your passwords out of your code. However, the environment properties are discoverable in the environment management console and can be viewed by any user that has permission to describe configuration settings on your environment. Depending on the platform, environment properties might also appear in instance logs.

To prevent this situation, we recommend that you lock down your connection information by storing it in an Amazon S3 bucket instead. The main steps are as follows:

  • Upload a file that contains your connection string to an Amazon S3 bucket.

  • Grant the EC2 instance profile permission to read the file.

  • Configure your application to download the file during deployment.

  • Read the file in your application code.

First, create a bucket to store the file that contains your connection string. For this example, a JSON file that has a single key and value is used. The value is a JDBC connection string for a PostgreSQL DB instance in Amazon RDS.


{ "connection": "jdbc:postgresql://" }

The highlighted portions of the URL correspond to the endpoint, port, DB name, user name, and password for the database.

To create a bucket and upload a file
  1. Open the Amazon S3 console.

  2. Choose Create Bucket.

  3. Type a Bucket Name, and then choose a Region.

  4. Choose Create.

  5. Open the bucket, and then choose Upload

  6. Follow the prompts to upload the file.

By default, your account owns the file and has permission to manage it. However, IAM users and roles only have this permission if you grant them access explicitly. Grant the instances in your Elastic Beanstalk environment by adding a policy to the instance profile.

The default instance profile is named aws-elasticbeanstalk-ec2-role. If you're not sure what your instance profile is named, you can find it on the Configuration page in the environment management console.

To add permissions to the instance profile
  1. Open the IAM console.

  2. Choose Roles.

  3. Choose aws-elasticbeanstalk-ec2-role.

  4. Choose Add inline policy.

  5. Add a policy that allows the instance to retrieve the file.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "database", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET-123456789012/beanstalk-database.json" ] } ] }

    Replace the bucket and object names with the names of your bucket and object.

Next, add a configuration file to your source code that directs Elastic Beanstalk to download the file from Amazon S3 during deployment.


Resources: AWSEBAutoScalingGroup: Metadata: AWS::CloudFormation::Authentication: S3Auth: type: "s3" buckets: ["DOC-EXAMPLE-BUCKET-123456789012"] roleName: "aws-elasticbeanstalk-ec2-role" files: "/tmp/beanstalk-database.json" : mode: "000644" owner: root group: root authentication: "S3Auth" source:

This configuration file does two things. The Resources key adds an authentication method to the Auto Scaling group metadata for the environment. Elastic Beanstalk can use this authentication method to access Amazon S3. The files key allows Elastic Beanstalk to download the file from Amazon S3 and store it locally in /tmp/ during deployment.

Deploy your application with the configuration file in .ebextensions folder at the root of your source code. If you configured permissions correctly, the deployment will succeed and the file will be downloaded to all of the instances in your environment. If not successful, the deployment will fail.

Finally, add code to your application to read the JSON file and use the connection string to connect to the database.