AWS App Runner will no longer be open to new customers starting April 30, 2026. If you would like to use App Runner, sign up prior to that date. Existing customers can continue to use the service as normal. For more information, see [AWS App Runner availability change](https://docs.aws.amazon.com/apprunner/latest/dg/apprunner-availability-change.html).
# Referencing environment variables
With App Runner, you can reference secrets and configurations as environment variables in your service when you [create a service](manage-create.md) or [update a service](manage-configure.md).
You can reference non-sensitive configuration data such as timeouts and retry counts in **Plain Text** as key-value pairs. The configuration data that you reference in **Plain Text** isn't encrypted and is visible to others in App Runner service configuration and application logs.
**Note**
For security reasons, don't reference any sensitive data in **Plain Text** in your App Runner service.
## Referencing sensitive data as environment variables
App Runner supports securely referencing sensitive data as environment variables in your service. Consider storing the sensitive data that you want to reference in *AWS Secrets Manager* or *AWS Systems Manager Parameter Store*. Then, you can securely reference them in your service as environment variables from App Runner console or by calling the API. This effectively separates secret and parameter management from your application code and service configuration, improving the overall security of your applications running on App Runner.
**Note**
App Runner doesn't charge you for referencing Secrets Manager and SSM Parameter Store as environment variables. However, you pay standard pricing for using Secrets Manager and SSM Parameter Store.
For more information about pricing, see the following:
[AWS Secrets Manager Pricing](https://aws.amazon.com/secrets-manager/pricing)
[AWS SSM Parameter Store Pricing ](https://aws.amazon.com/systems-manager/pricing)
The following is the process to reference sensitive data as environment variables:
1. Store sensitive data, such as API keys, database credentials, database connection parameters, or application versions as secrets or parameters in either AWS Secrets Manager or AWS Systems Manager Parameter Store.
1. Update the IAM policy of your instance role so App Runner can access the secrets and parameters stored in Secrets Manager and SSM Parameter Store. For more information, see [Permissions](#env-variable.sensitivedata.permissions).
1. Securely reference the secrets and parameters as environment variables by assigning a name and providing their Amazon Resource Name (ARN). You can add environment variables when you [create a service](manage-create.md) or [update a service's configuration](manage-configure.md). You can use one of the following options to add environment variables:
+ App Runner console
+ App Runner API
+ `apprunner.yaml` configuration file
**Note**
You cannot assign `PORT` as a name for an environment variable when creating or updating your App Runner service. It's a reserved environment variable for App Runner service.
For more information on how to reference secrets and parameters, see [Managing environment variables](env-variable-manage.md).
**Note**
Since App Runner only stores the reference to secret and parameter ARNs, the sensitive data isn't visible to others in the App Runner service configuration and application logs.
## Considerations
+ Make sure that you update your instance role with appropriate permissions to access the secrets and parameters in AWS Secrets Manager or in AWS Systems Manager Parameter Store. For more information, see [Permissions](#env-variable.sensitivedata.permissions).
+ Make sure that AWS Systems Manager Parameter Store is in the same AWS account as the service that you want to launch or update. Currently, you can't reference SSM Parameter Store parameters across accounts.
+ When the secrets and parameter values are rotated or changed they are not automatically updated in your App Runner service. Redeploy your App Runner service as App Runner only pulls secrets and parameters during deployment.
+ You also have the option to directly call AWS Secrets Manager and AWS Systems Manager Parameter Store through the SDK in your App Runner service.
+ To avoid errors make sure of the following when referencing them as the environment variables:
+ You specify the right ARN of the secret.
+ You specify the right name or ARN of the parameter.
## Permissions
To enable referencing secrets and parameters stored in the AWS Secrets Manager or SSM Parameter Store, add appropriate permissions to the IAM policy of your *instance role* to access Secrets Manager and SSM Parameter Store.
**Note**
App Runner can't access resources in your account without your permission. You provide the permission through updating your IAM policy.
You can use the following policy templates to update your instance role in the IAM console. You can modify these policy templates to meet your specific requirement. For more information about updating an instance role, see [Modifying a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-console.html) in the *IAM User Guide*.
**Note**
You can also copy the following templates from the App Runner console when [creating the environment variables](env-variable-manage.md#env-variable-manage.console).
Copy, the following template to your instance role to add permission to reference *secrets* from *AWS Secrets Manager*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"kms:Decrypt*"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:111122223333:secret:my-secret",
"arn:aws:kms:us-east-1:111122223333:key/my-key"
]
}
]
}
```
------
Copy the following template to your instance role to add permission to reference *parameters* from *AWS Systems Manager* Parameter Store.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": [
"arn:aws:ssm:us-east-1:111122223333:parameter/my-parameter"
]
}
]
}
```
------
# Managing your environment variables
Manage the environment variables for your App Runner service by using one of the following methods:
+ [App Runner console](#env-variable-manage.console)
+ [App Runner API or AWS CLI](#env-variable-manage.api)
## App Runner console
When you [create a service](manage-create.md) or [update a service ](manage-configure.md) on the App Runner console, you can add environment variables.
### Adding environment variable
**To add environment variable**
1. Open the [App Runner console](https://console.aws.amazon.com/apprunner), and in the **Regions** list, select your AWS Region.
1. Based on whether you're creating or updating a service, perform one of the following steps:
+ If you're creating a new service, choose **Create an App Runner service** and go to **Configure Service**.
+ If you're updating an existing service, select the service that you want to update and go to the **Configuration** tab of the service.
1. Go to **Environment variables - optional** under **Service settings**.
1. Choose any of the following options based on your requirement:
+ Choose **Plain Text** from the **Environment variable source** and enter its key-value pairs under **Environment variable name** and **Environment variable value**, respectively.
**Note**
Choose **Plain Text** if you want to reference non-sensitive data. This data isn't encrypted and is visible to others in the App Runner service configuration and application logs.
+ Choose **Secrets Manager** from the **Environment variable source** to reference the secret that's stored in AWS Secrets Manager as environment variable in your service. Provide the environment variable name and Amazon Resource Name (ARN) of the secret that you're referencing under **Environment variable name** and **Environment variable value** respectively.
+ Choose **SSM Parameter Store** from the **Environment variable source** to reference the parameter stored in SSM Parameter Store as environment variable in your service. Provide the environment variable name and ARN of the parameter that you're referencing under **Environment variable name** and **Environment variable value** respectively.
**Note**
You cannot assign `PORT` as a name for an environment variable when creating or updating your App Runner service. It's a reserved environment variable for App Runner service.
If the SSM Parameter Store parameter is in the same AWS Region as the service that you want to launch, you can specify the full Amazon Resource Name (ARN) or the name of the parameter. If the parameter is in a different Region, you need to specify the full ARN.
Make sure that parameter that you're referencing to is in the same account as the service that you're launching or updating. Currently, you can't reference SSM Parameter Store parameter across accounts.
1. Choose **Add environment variable** to reference to another environment variable.
1. Expand **IAM policy templates** to view and copy the IAM policy templates provided for the AWS Secrets Manager and SSM Parameter Store. You only need to do this if you didn't yet update the IAM policy of your instance role with the required permissions. For more information, see [Permissions](env-variable.md#env-variable.sensitivedata.permissions).
### Removing environment variable
Before you delete an environment variable make sure that your application code is updated to reflect the same. If the application code is not updated, your App Runner service might fail.
**To remove environment variables**
1. Open the [App Runner console](https://console.aws.amazon.com/apprunner), and in the **Regions** list, select your AWS Region.
1. Go to **Configuration** tab of the service you want to update.
1. Go to **Environment variables - optional** under **Service settings**.
1. Choose **Remove** next to the environment variable that you want to remove. You receive a message to confirm the deletion.
1. Choose **Delete**.
## App Runner API or AWS CLI
You can reference sensitive data stored in Secrets Manager and SSM Parameter Store by adding them as environment variables in your service.
**Note**
Update the IAM policy of your instance role so App Runner can access secrets and parameters stored in Secrets Manager and SSM Parameter Store. For more information, see [Permissions](env-variable.md#env-variable.sensitivedata.permissions).
**To reference secrets and configurations as environment variables**
1. Create a secret or configuration in the Secrets Manager or SSM Parameter Store.
The following examples show how to create a secret and a parameter using the SSM Parameter Store.
**Example Creating a secret - Request**
The following example shows how to create a secret that represents the database credential.
```
aws secretsmanager create-secret \
—name DevRdsCredentials \
—description "Rds credentials for development account." \
—secret-string "{\"user\":\"diegor\",\"password\":\"EXAMPLE-PASSWORD\"}"
```
**Example Creating a secret - Response**
```
arn:aws:secretsmanager:::secret:DevRdsCredentials
```
**Example Creating a configuration - Request**
The following example shows how to create a parameter that represents the RDS connection string.
```
aws systemsmanager put-parameter \
—name DevRdsConnectionString \
—value "mysql2://dev-mysqlcluster-rds.com:3306/diegor" \
—type "String" \
—description "Rds connection string for development account."
```
**Example Creating a configuration - Response**
```
arn:aws:ssm:::parameter/DevRdsConnectionString
```
1. Reference the secrets and configurations that are stored in Secrets Manager and SSM Parameter Store by adding them as environment variables. You can add environment variables when you create or update your App Runner service.
The following examples shows how to reference secrets and configurations as environment variables on a code-based and an image-based App Runner service.
**Example Input.json file for image-based App Runner service**
```
{
"ServiceName": "example-secrets",
"SourceConfiguration": {
"ImageRepository": {
"ImageIdentifier": "",
"ImageConfiguration": {
"Port": "",
"RuntimeEnvironmentSecrets": {
"Credential1":"arn:aws:secretsmanager:::secret:XXXXXXXXXXXX",
"Credential2":"arn:aws:ssm:::parameter/"
}
},
"ImageRepositoryType": "ECR_PUBLIC"
}
},
"InstanceConfiguration": {
"Cpu": "1 vCPU",
"Memory": "3 GB",
"InstanceRoleArn": ""
}
}
```
**Example Image-based App Runner service – Request**
```
aws apprunner create-service \
--cli-input-json file://input.json
```
**Example Image-based App Runner service – Response**
```
{
...
"ImageRepository": {
"ImageIdentifier":"",
"ImageConfiguration":{
"Port": "",
"RuntimeEnvironmentSecrets":{
"Credential1": "arn:aws:secretsmanager:::secret:XXXXXXXXXXXX",
"Credential2": "arn:aws:ssm:::parameter/"
},
"ImageRepositoryType":"ECR"
}
},
"InstanceConfiguration": {
"CPU": "1 vCPU",
"Memory": "3 GB",
"InstanceRoleArn: ""
}
...
}
```
**Example Input.json file for code-based App Runner service**
```
{
"ServiceName": "example-secrets",
"SourceConfiguration": {
"AuthenticationConfiguration": {
"ConnectionArn": "arn:aws:apprunner:us-east-1:123456789012:connection/my-github-connection/XXXXXXXXXX"
},
"AutoDeploymentsEnabled": false,
"CodeRepository": {
"RepositoryUrl": "",
"SourceCodeVersion": {
"Type": "BRANCH",
"Value": "main"
},
"CodeConfiguration": {
"ConfigurationSource": "API",
"CodeConfigurationValues": {
"Runtime": "",
"BuildCommand": "",
"StartCommand": "",
"Port": "",
"RuntimeEnvironmentSecrets": {
"Credential1":"arn:aws:secretsmanager:::secret:XXXXXXXXXXXX",
"Credential2":"arn:aws:ssm:::parameter/"
}
}
}
}
},
"InstanceConfiguration": {
"Cpu": "1 vCPU",
"Memory": "3 GB",
"InstanceRoleArn": ""
}
}
```
**Example Code-based App Runner service – Request**
```
aws apprunner create-service \
--cli-input-json file://input.json
```
**Example Code-based App Runner service – Response**
```
{
...
"SourceConfiguration":{
"CodeRepository":{
"RepositoryUrl":"",
"SourceCodeVersion":{
"Type":"Branch",
"Value":"main"
},
"CodeConfiguration":{
"ConfigurationSource":"API",
"CodeConfigurationValues":{
"Runtime":"",
"BuildCommand":"",
"StartCommand":"",
"Port":"",
"RuntimeEnvironmentSecrets":{
"Credential1" : "arn:aws:secretsmanager:::secret:XXXXXXXX",
"Credential2" : "arn:aws:ssm:::parameter/"
}
}
}
},
"InstanceConfiguration": {
"CPU": "1 vCPU",
"Memory": "3 GB",
"InstanceRoleArn: ""
}
...
}
```
1. The `apprunner.yaml` model is updated to reflect the added secrets.
The following is an example of the updated `apprunner.yaml`model.
**Example `apprunner.yaml`**
```
version: 1.0
runtime: python3
build:
commands:
build:
- python -m pip install flask
run:
command: python app.py
network:
port: 8080
env:
- name: MY_VAR_EXAMPLE
value: "example"
secrets:
- name: my-secret
value-from: "arn:aws:secretsmanager:::secret:XXXXXXXXXXXX"
- name: my-parameter
value-from: "arn:aws:ssm:::parameter/"
- name: my-parameter-only-name
value-from: "parameter-name"
```