Managing Environment Variables with AWS Secrets Manager for App Runner

When deploying Backend projects to App Runner, instead of entering sensitive values directly into the Environment Variables configuration (which can be exposed if someone has console access), we’ll use AWS Secrets Manager as a secure vault for storage.

1. Create a Secret in Secrets Manager

The first step is to store your sensitive information in the AWS vault.

Go to the AWS Secrets Manager Dashboard.
Click “Store a new secret”.
Select the secret type as “Other type of secret”.
Enter your Key/Value pairs (e.g., Key is DB_PASSWORD, Value is your-password).
Choose the Encryption key: You can use the AWS default key or create a custom KMS key.
Complete the naming and rotation configuration steps if needed.
After creation, copy the Secret ARN from the detail page. You’ll need it for the next step.

2. Grant Permissions for App Runner (IAM Role)

This is the most critical step. By default, App Runner does not have permission to access the vault. You need to grant access through an IAM Role.

Go to the IAM service and navigate to Roles.
Select the Role assigned to App Runner (Instance Role). If you don’t have one, create a new Role for the App Runner service.
Click “Add permission” and choose “Create inline policy”.
Switch to JSON mode and paste the following code:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "kms:Decrypt*"
            ],
            "Resource": [
                "arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret-name>",
                "arn:aws:kms:<region>:<aws_account_id>:key/<key-id>"
            ]
        }
    ]
}

Breaking Down This Policy:

secretsmanager:GetSecretValue: Allows App Runner to read the values inside the Secret.
kms:Decrypt*: Extremely important! Since the Secret is encrypted, you need this permission to decrypt the data before use.
Resource: Replace with the ARN of the Secret and the ARN of the KMS key you used in Step 1.

Save the Policy and give it a name (e.g., AppRunnerSecretsPolicy).

3. Configure App Runner

Finally, go back to the App Runner service to apply the settings:

Navigate to your project’s configuration on App Runner.
Under Configuration > Environment variables, instead of selecting “Plaintext”, choose “Reference a secret”.
Paste the ARN formatted as we covered in the previous article (including the : and specific Key name).
Make sure you’ve selected the correct IAM Role that you added the Policy to in Step 2.
Click Save and Deploy to restart App Runner and pick up the new values.

Summary

With this approach, your environment variables are secured with multiple layers of protection:

Layer 1: Data is encrypted in Secrets Manager.
Layer 2: Only entities (Roles) with specific permissions can retrieve and decrypt the data.
Layer 3: No passwords appear in plaintext in configuration files or source code.

Wishing you a secure and professional deployment!