I have an app I'm deploying using a CloudFormation template with an AutoScaling Policy.
I'm storing credentials for the app in AWS Secrets Manager.
I need to retrieve the credentials and copy them over to the application config during the instance's bootup process.
What's the best way of securely achieving this?
Baking them into the AMI isn't an option because the credentials will be changing much more frequently than the image.
You can pass a script in the UserData field, which will be executed when the Amazon EC2 instance first boots.
It can use the AWS Command-Line Interface (CLI) to retrieve the secret from AWS Secrets Manager. You can then write some funky shell script to insert it into the desired configuration file.
See: