Issues with .env and .gitignore for AWS EC2 deployment

Question

So I made an app using react.js (MERN). The app has like two 3rd party APIs. I stored the ID keys in an .env file. For the sake of security, when pushing the code to Github, I had the .env listed in a .gitignore file. But with that, how am I supposed to have my EC2 instance get access to the info that was hidden in the .gitignore?

Answer 1

You have multiple ways to do it. Below are some of them.

1. Store your .env file to S3 with proper permission with encryption at rest. Every time you deploy the app from SCM (Source Code Management) your deployment script will pull the .env from S3 to the app working directory. But to do so, your instance must have a role with proper policy bind to it that enables access to the S3 bucket where .env is stored.
2. Utilize AWS Secret Manager. This way you can fetch the variables directly using AWS SDK from your app, without needing the .env file, what it does, it that AWS Secret Manager store your variables (replacing the .env file) and by using AWS SDK within the app, you can retrieve those values and can directly integrate with the app logic. https://aws.amazon.com/blogs/aws/aws-secrets-manager-store-distribute-and-rotate-credentials-securely/