Good morning. 🙂 Those of you running ktor apps on AWS ECS and using AWS Secrets Manager to store configuration, how do you provide the configuration to the app?

We use the environment variables file

in production? How do provide it to the app?

we started with env vars (managed via terraform), but IMHO a cleaner approach is to fetch them on server startup

I'm leaning towards using the AWS CDK to load them on startup based on a command line argument, and then fall back to env vars so you can run it locally in an easy way

Yes in production https://docs.aws.amazon.com/AmazonECS/latest/developerguide/use-environment-file.html

@hfhbd Sure, but how do you load that .env intro Ktor? It doesn't support .env files out of the box.

We have one ktor config file per env for non-sensitive settings that are specific to each env (e.g. application.yaml, application-staging.yaml). Secrets use environment variables (e.g. mySecret: $MY_SECRET). As part of the build and deploy pipeline, the variables are mapped from Secrets Manager to the new task

#C018GCM5PS6 has providers for resolving from SSM and Secrets Manager. Strongly recommend the library, written by Sam (who also created #CT0G9SD7Z)

You just define the secret manager secret in your task definition. AWS will handle it all. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/secrets-envvar-secrets-manager.html

FWIW all of our teams at aetna are currently reworking everything to load secrets in their runtime as needed to try and better handle when a secret gets rotated out from under them in AWS secret manager. None of them are using ktor, but if you are reworking secret management it might be a good idea to plan for picking up secret rotation without it having to force the service into a bad healthcheck and auto redeploy from the ALB so that you can minimize downtime when rotations do happen. Problem with using the normal ecs task def to put secrets in as env vars is you are forced to depend on a task restart IIRC. For us its our security overlords requiring automated secret rotation and them wanting to get all the secret management to the point that no dev ever has to directly touch/see/manage a secret beyond the initial tf apply request to spin up a new service.