Aws-app-mesh-roadmap: Feature Request: Support Imported ACM Certificates for TLS

Created on 21 Apr 2020  路  2Comments  路  Source: aws/aws-app-mesh-roadmap

Tell us about your request
Customers would like to use certificates they've imported to AWS Certificate Manager (ACM) to terminate TLS in App Mesh. Today this is not supported because ACM does not allow imported certificates to be exported.

Which integration(s) is this request for?
All

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Instead of managing PKI outside of AWS, being able to import certificates in ACM would simplify the management and distribution of certificates in App Mesh.

Are you currently working around this issue?
Customers are able to provide custom certificates to App Mesh via the local Envoy file-system. See the TLS documentation for more information.

Awaiting Customer Feedback Medium

Most helpful comment

Hey @joshbishop, you can definitely take the volume mount approach to get certificates bound to Envoy (i.e. using the file-system support on a Virtual Node).

Another, slightly simpler and more secure option is to store your certificates in Secrets Manager and pull them into the running container on startup. This way you don't have a persistent volume with certificates that you need to protect. We demonstrate the Secrets Manager approach in this walkthrough.

Hope that helps!

All 2 comments

What be the recommended work-around for a Fargate deployment?
I could think of potentially volume-mounting either EFS or another container with the certificates to provide for the Envoy container, or rolling our own Envoy image with the certificates baked in.

These all seem to me like much more complicated options than just selecting an ACM cert in the node configuration though

Hey @joshbishop, you can definitely take the volume mount approach to get certificates bound to Envoy (i.e. using the file-system support on a Virtual Node).

Another, slightly simpler and more secure option is to store your certificates in Secrets Manager and pull them into the running container on startup. This way you don't have a persistent volume with certificates that you need to protect. We demonstrate the Secrets Manager approach in this walkthrough.

Hope that helps!

Was this page helpful?
0 / 5 - 0 ratings