Devops
AWS
Using AWS Secrets Manager to manage environment variables

Managing Environment Variables with AWS Secrets Manager for App Runner

This guide explains how to securely manage production environment variables for an AWS App Runner backend project using AWS Secrets Manager.

Creating Secrets

  1. Navigate to the AWS Secrets Manager dashboard
  2. Click "Store a new secret"
  3. Select "Other type of secret" as the secret type
  4. Enter your key/value pairs
  5. Choose an encryption key (use AWS default or create a new one)
  6. Complete the "Configure secret" and "Configure rotation" steps
  7. After creation, copy the "Secret ARN" from the details page

Granting Permissions

To allow your App Runner service to retrieve the secrets:

  1. Open the AWS IAM service and go to "Roles"
  2. Select your App Runner's assigned role or create a new one
  3. Click "Add permission" and choose "Create inline policy"
  4. Switch to JSON mode and paste the following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "kms:Decrypt*"
            ],
            "Resource": [
                "arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret-name>",
                "arn:aws:kms:<region>:<aws_account_id>:key/<key-id>"
            ]
        }
    ]
}

This policy grants two permissions:

  • Access to your Secrets Manager secret
  • Access to the encryption key
  1. Save the policy
  2. Return to App Runner and rebuild your instance

By following these steps, you'll securely manage your environment variables using AWS Secrets Manager for your App Runner deployment.