Do not put secrets in environment variables
Date: 2024-07-11
Status: accepted
Context
We must not store secrets in the environment variables during our deployment. This allows attackers to inspect the environment and take all secrets from there. It an easy to achieve attack once you gain access to an environment.
Decision
To mitigate this risk, we do put the secrets in the parameters store of the AWS
account, set as SecretString. These strings are encrypted by AWS.
The applications will be able to read the secrets during the startup from the parameter store and setup accordingly. This is done for remix apps if they use the setup of the remix-tools since version 15
Consequences
Attackers should not get easy access to our secrets anymore.