Preface
I am not sure if the title is confusing or that it is ambiguous. If it is, please give input as to what the proper title should be but this is the title i have come up with that best describes the problem I am facing so please hear me out first.
Background
So I have an Express App that runs on NodeJS runtime and I have it deployed to AWS Elastic Beanstalk. Now, I need to integrate Firebase into my app and in this case, I successfully installed the Firebase Admin SDK into my app but now I need to add the .json file containing the credentials to my firebase app.
AWS has a guide on Storing Private Keys Securely in Amazon S3 Which I followed accordingly by adding a configuration file in the .ebextensions folder at the root of my project. I added the following code to the config file as instructed in the documentation
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Auth:
type: "s3"
buckets: ["elasticbeanstalk-us-west-2-123456789012"]
roleName:
"Fn::GetOptionSetting":
Namespace: "aws:autoscaling:launchconfiguration"
OptionName: "IamInstanceProfile"
DefaultValue: "aws-elasticbeanstalk-ec2-role"
files:
# Firebase Credentials
"/tmp/firebase.json":
mode: "000400"
owner: ec2-user
group: ec2-user
authentication: "S3Auth"
source: https://elasticbeanstalk-us-west-2-123456789012.s3.us-west-2.amazonaws.com/server.key
A few things I changed in this example was obviously the bucket to where the json file is stored (the one shown here is just a dummy for the example). I am using the default instance profile that was generated when my EB Environment was created. And here, from looking at how others did this, they mainly configured the file to download to the path to : /tmp/<FILE_NAME>.json. I also changed the owner and group to ec2-user as that's the default name of the user when running Amazon Linux Instance according to the AWS documentation.
After making the changes as such and deploying the app again to EB, the environment health went from Ok to Degraded. Upon checking the logs, The error I got was very much like one that was seen here: Unable to access files on the tmp directory.
The Error can be seen on one of the lines as:
Error: EACCES: permission denied, open '/tmp/firebase.json'
Prior investigations
I made the checks to ensure that my instance profile had the permissions to access the bucket storing the credentials json file. In fact, I went to the length as to open the EC2 instance that my app was running on after deploying the app again with the added config file in the .ebextensions folder and the firebase.json file was downloaded in the /tmp folder.
What I've tried
So from this question - Unable to access files on the tmp directory, one of the solutions that someone gave was to change the file permissions in the config file from 400 (owner read only) to 444 (everyone can read). Like this:
files:
# Firebase Credentials
"/tmp/firebase.json":
mode: "000444"
owner: ec2-user
group: ec2-user
authentication: "S3Auth"
source: https://elasticbeanstalk-us-west-2-123456789012.s3.us-west-2.amazonaws.com/server.key
So now, that works.... but I am aware that setting permissions to 444 to allow for everyone to read... doesn't exactly seem to be safe as for what the person mentioned when giving the solution here.
I know that this has to do with the file permissions on allowing the ec2-user to be able to read the firebase.json file in the tmp folder as the root user. So I would like to have some help on this
