Introduction

Here at BeamWallet we tend to prefer micro-service architecture approach as opposed to archaic monolithic thinking. Recently we came across a simple/common issue which is generating JWT Token to allow our servers to communicate between each other.

Since all of our systems live in private VPCs and in the interest of the DRY principle we decided to build a centralised service that would handle all of this. We built the solution using AWS Lambda and also AWS API Gateway.

We have 2 different ways of deploying and for secret storing.

AWS Elastic Beanstalk with AWS Secret Manager

Our EBS applications are Java Spring backends which have all the passwords and keys stored in AWS Secret Manager. On start up of each app all passwords are loaded from AWS Secret Manager and loaded into the System Properties.

Our naming convention for naming secrets stored in the Secret Manager is <system>/<environment>

Eg core/dev or common/staging (where common has commonly used variables across all systems)

AWS ECS with Ansible

We deploy our other apps to ECS using ansible, where the secrets are stored in our Ansible Vault, and after the passwords are stored in ECS' Task definition as Environment Variables.

Our Solution (In Lambda)

Setting up IAM

Add the following roles