Secret manager env#3800
Closed
ntner wants to merge 2 commits into
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is the feature/update/fix?
Feature: AWS Secrets Manager environment injection
This release adds an optional path for injecting application environment variables into ECS tasks through native AWS Secrets Manager
secretsblocks, instead of fetching them from S3 and decrypting with KMS at runtime. When enabled, ECS resolves each variable at task launch from a single per-app JSON secret named{rack}/{app}, pulling individual keys with theARN:key::reference format. With the secret in place, theCONVOX_ENV_KEY,CONVOX_ENV_URL, andCONVOX_ENV_VARStask variables are suppressed, which short-circuits theconvox-envS3 fetch so values come straight from Secrets Manager.The model is write-through: S3 remains the source of truth, and Secrets Manager is a deployment-time overlay populated during
convox releases promote. Nothing about the existing release storage changes. Enabling the feature is purely additive and is controlled by a Yes/No rack parameter that defaults toNo.SecretsManagerEnvYes/No)NoYes, ECS tasks resolve env vars from a per-app Secrets Manager secret at launch instead of the S3 + KMS runtime fetchThe parameter can be set at three levels with the following precedence. The rack-level value is the default for all apps. An app-level value is opt-in only: setting
SecretsManagerEnv=Yeson an app turns it on even when the rack default isNo, but setting it toNodoes not turn it off when the rack default isYes. Aparamsentry inconvox.ymloverrides both the rack and app values and is the way to disable Secrets Manager for a single app while the rack default isYes.convox rack params set SecretsManagerEnv=Yesconvox apps params set SecretsManagerEnv=Yes -a my-appYesis honoredparams: { SecretsManagerEnv: "Yes" }Failures are handled without blocking deploys. If the Secrets Manager write fails during a promote, the rack logs a warning and falls back to S3 injection for that release. One-off tasks started with
convox runalso use Secrets Manager when it is enabled, and fall back to S3 if the secret lookup fails. On app deletion, the per-app secret is scheduled for deletion with a 30-day recovery window. IAM access is scoped tightly: the rack API role gets full Secrets Manager CRUD over the{rack}/*prefix, while app and service execution roles getGetSecretValueonly on the exact secret ARN. Gen1 apps are not affected, since they use a separate promote path.How to use it?
Enable Secrets Manager injection for every app on the rack:
Then promote a release so the secret is populated and the task definitions pick up the change:
To keep the rack default off but enable it for one app only:
To pin the value per app from source control, add a
paramsblock toconvox.yml. This overrides both the rack and app settings:To disable Secrets Manager for a single app while the rack default is
Yes, use theconvox.ymlparamsblock (an app-levelNowill not turn it off):Check your current rack value at any time:
Does it have a breaking change?
No. The feature is entirely additive and off by default.
SecretsManagerEnvdefaults toNo, so racks and apps that take no action behave exactly as before, fetching env vars from S3 and decrypting with KMS at runtime. No CloudFormation resources are renamed, no stack Outputs are removed or renamed, and no existing parameters change type or default.The change is downgrade safe. Racks running a version without the
SecretsManagerEnvparameter silently treat it asNo, and the CloudFormation template guards produce no Secrets Manager output when the secret ARN is empty. If a Secrets Manager write ever fails during a promote, the deploy is not blocked: the rack logs a warning and falls back to S3 injection for that release.Requirements
To use this feature, you must update to rack version
20260531001024or newer.convox rackconvox rack update