Sharing Secrets Between Environments

[dereksdev]

Is there a way to share secrets between environments? The requirement to tag each secret with copilot-environment leads me to believe this is not possible, but it would be useful for shared application secrets. I would like to be able to do the following:

1. set up an SSM parameter with only tag copilot-application set to my application name
2. reference the secret in the global secrets in manifest.yml:

secrets: 
  SECRET_NAME: /copilot/app_name/secrets/SECRET_NAME

This process currently results in an error: ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secrets from ssm

[iamhopaul123]

Hello @dereksdev. Yes you are correct it is not possible to define application level secrets in Copilot right now. This would be a feature request for us. Thank you for bringing up this feature and your use case for it!

[bpottier]

Just want to say I'd like to see this feature too. It would be useful for creating a single secret with credentials to a private Docker registry.

[mnitchie]

I'll add on that it would also be useful to share secrets across applications, as well. This is handy for multiple applications that might share the same database or for connections to a shared cache. Beyond the challenge of setting up duplicate secrets, this increases the burden of rotating secrets when necessary.

[efekarakus]

Thanks @mnitchie ! as a side-tangent, how do you deal with secrets rotation today for ECS tasks? do you force a new deployment when a rotation occurs or do you use another mechanism?

[mnitchie]

It's a little ad hoc at the moment. Sometimes I do what you suggested if I'm confident that won't break things with the already-deployed tasks, or if I'm planning to re-deploy right away. Once I created a second secret and changed the manifest to point to that instead of the old one, then re-deploy.

[GearoidCollins]

+1 to this. would love it 🙌 It would nicely clean up our secret store and manifest files 😄

[jakequalia]

+1 to this for me as well :). This would be a really handy feature and would make creating new environments super seamless! Has work on this feature request been started?

[jakequalia]

Any update on this?

[ColeDCrawford]

This would be really useful. We are adding Elasticsearch to several apps and just have one large cluster with a bunch of indices. We could just store the Elastic Cloud ID and password once each, but now it looks like I'll have to define multiple variables per application and per environment. And if I rotate those creds, will have to change them all individually ... could add some logic to the value parsing to split on commas or another delimiter? copilot-environment=dev,prod, and same for the apps?

[Lou1415926]

@ColeDCrawford Makes sense to me! Another workaround I can think of is to tag a secret with something like "shared", and then give each of your app's EnvManagerRole access to secrets with that tag, using yaml patch.