Skip to content

Migrate credentials to LabKey native SSM integration (26.6+)#184

Open
labkey-willm wants to merge 2 commits into
release26.6-SNAPSHOTfrom
26.6_fb_ssm_credential_migration
Open

Migrate credentials to LabKey native SSM integration (26.6+)#184
labkey-willm wants to merge 2 commits into
release26.6-SNAPSHOTfrom
26.6_fb_ssm_credential_migration

Conversation

@labkey-willm
Copy link
Copy Markdown
Contributor

@labkey-willm labkey-willm commented May 28, 2026
edited
Loading

Summary

  • application.properties: adds context.awsParameterStore.prefix and ssm: references for DB credentials, encryption key, and SMTP credentials; old @@placeholder@@ lines kept as comments for non-AWS reference
  • entrypoint.sh: adds SSM prefix normalization and non-AWS fallback (substitutes ssm: references with direct env var values when LABKEY_SSM_PREFIX is unset); removes AWS credential unset so the JVM can reach SSM; removes credential sed/unset lines
  • docker-compose.yml: adds LABKEY_SSM_PREFIX, LABKEY_VPC_SSM_PREFIX, AWS credential forwarding, and direct credential fallbacks for non-AWS/local use
  • README.md, CLAUDE.md: document SSM integration, updated env var tables, updated runtime flow description

How it works

Set LABKEY_SSM_PREFIX (app-level, e.g. /myapp/myenv/) and LABKEY_VPC_SSM_PREFIX (VPC-level, e.g. /shared/vpc/myvpc/) as plain env vars. LabKey's AwsParameterStoreEnvironmentPostProcessor resolves the following at JVM startup:

SSM path replaces
${LABKEY_SSM_PREFIX}database_user POSTGRES_USER
${LABKEY_SSM_PREFIX}database_password POSTGRES_PASSWORD
${LABKEY_SSM_PREFIX}ek LABKEY_EK
${LABKEY_VPC_SSM_PREFIX}smtp_user SMTP_USER
${LABKEY_VPC_SSM_PREFIX}smtp_password SMTP_PASSWORD

When LABKEY_SSM_PREFIX is unset, entrypoint.sh falls back to direct env var substitution — non-AWS deployments are unaffected.

⚠️ Hold

Do not merge until LabKey/server#1388 is merged. That PR contains the server-side fix required for GEMINI_API_KEY resolution via SSM. This change targets develop / LabKey 26.6+.

The companion Terraform change is in terraform_module_ecs_service_lkapps branch 26.6_fb_ssm_credential_migration — deploy the Dockerfile image change first, then land the Terraform change.

Test plan

  • SSM credential resolution confirmed working locally against lk-dev-banana/banana-ecs SSM paths (DB user, DB password, EK, SMTP user, SMTP password all resolved from SSM per container logs)
  • DB connection healthy after SSM resolution
  • GEMINI_API_KEY resolved via SSM (requires server PR #1388)
  • Verify non-AWS make up still works without SSM vars set

🤖 Generated with Claude Code

@labkey-willm @claude
Migrate credentials to LabKey native SSM integration (26.6+)
3fcbd8f 
Replace ECS-injected credential secrets (POSTGRES_USER, POSTGRES_PASSWORD,
LABKEY_EK, SMTP_USER, SMTP_PASSWORD) with LabKey's native SSM integration
via AwsParameterStoreEnvironmentPostProcessor:
- application.properties: add context.awsParameterStore.prefix and ssm:
  references for the 5 credentials; old @@Placeholder@@ lines kept as
  comments for non-AWS reference
- entrypoint.sh: add SSM prefix normalization and non-AWS fallback (replaces
  ssm: references with direct env var values when LABKEY_SSM_PREFIX is unset);
  remove AWS credential unset so JVM can reach SSM; remove credential sed/unset
- docker-compose.yml: add LABKEY_SSM_PREFIX, LABKEY_VPC_SSM_PREFIX, AWS
  credential forwarding, and direct credential fallbacks for non-AWS local use
- README.md, CLAUDE.md: document SSM integration, updated env var tables,
  updated runtime flow description

⚠️ HOLD until LabKey/server#1388 merges. Targets develop / LabKey 26.6+.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 28, 2026

ERROR: A pull request from 26.6_fb_ssm_credential_migration is expected to target release26.6-SNAPSHOT, not develop

@labkey-willm @claude
Fix non-AWS default credentials to match postgres service defaults
dbb4407 
POSTGRES_PASSWORD and POSTGRES_USER in LabKey services now default to
localdevpassword/postgres, matching the postgres service defaults, so
make up works without setting any env vars.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@labkey-willm labkey-willm changed the base branch from develop to release26.6-SNAPSHOT June 1, 2026 17:07
labkey-gokhano
labkey-gokhano approved these changes Jun 1, 2026
View reviewed changes
Comment thread README.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@labkey-gokhano labkey-gokhano labkey-gokhano approved these changes

@labkey-stuartm labkey-stuartm Awaiting requested review from labkey-stuartm

@labkey-jony labkey-jony Awaiting requested review from labkey-jony

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@labkey-willm @labkey-gokhano