AWS Elastic Beanstalk makes it easy to get a simple application from development into a public web server. If you use a linked RDS instance for storage, the service even handles the population of the database credentials on your application instance by loading them in the environment. If you want to include additional credentials as environment variables, you can do it, but they are unfortunately readable as plain text in the Elastic Beanstalk console. Instead, I've taken to importing a file which gets loaded on my instances via encrypted S3 as part of the deploy script.

Create your file for the environments you'll be deploying to. Upload them to S3 making sure to enable server-side encryption. Protect the bucket these are stored in. Treat it just like part of a file.

MY_SECRET_PASSWORD = 'five golDen chickens'

(Jeez, that's not really my password. Whatever.)

Import credentials

In the top of my, which is loaded in each of my tier-sepcific config files, I include:

from config.settings.credentials import *  #noqa

Including #noqa ensures that flake8 won't register an error, since we really do want to import everything in this case. I include a default config/settings/ that sets dummy variables to enable my tests to pass, or reads those from the environment. That file is overwritten during deployment and copied into place via an .ebextensions file.


The following code is an .ebextensions file with the settings needed to get installed into your Django application on each deploy. Depending where your credentials files are stored, you'll want to change config/settings/ to lineup with your directory structure. container_commands run from the root of your app:

    test: '[ ! -d /var/makeconf ]'
    command: 'mkdir -p /var/makeconf'
    command: 'chown -R wsgi:wsgi /var/makeconf'

    command: 'mv /var/makeconf/ config/settings/'

    owner: wsgi
    group: wsgi
    mode: '000400'
    authentication: S3Access

          type: S3
          roleName: my.elastic.beanstalk.iam.role
          buckets: BUCKET_NAME


You're likely going to want a different file for each tier, and so I recommend using a tool like django-makeconf to build your .ebextensions for each tier. It could be as simple as specifying the following variables in your tier-based Django config files:


Alter the above file to replace

  • BUCKET_NAME with {{ settings.CREDENTIALS_BUCKET }}
  • my.elasticbeanstalk.iam.role to {{ settings.EB_IAM_ROLE }}

Once those pieces are in place, put that file at YOUR_APP_NAME/templates/credentials.config.tmpl and set MAKECONF_MAP to something like:

{'.ebextensions/01_credentials.config': 'credentials.config.tmpl'}

Then run python makeconf with the correct config file for each tier during each deploy build. e.g. for QA, you'd run the following command to build your .ebextensions file: python makeconf

IAM role

You're going to need an IAM role with permissions to the buckets you're storing your files in. You'll need the following properties on the buckets you're using:

  • s3:ListBucketVersions
  • s3:GetObjectVersion
  • s3:ListBucket
  • s3:GetObject

And you'll want to allow s3:ListAllMyBucket for all resources.


Make sure you include the .ebextensions file you just created in the zipfile you're senging to Elastic Beanstalk, and then it's rock & roll.