Secure storage of Mobb broker in AWS Secrets Manager

This guide outlines the process of securely storing and managing the Mobb Broker Token within an ECS (Elastic Container Service) environment using AWS Secrets Manager. It details the steps involved in automating token rotations, securely storing the token using AWS Secrets Manager, and configuring ECS to automatically retrieve the token value from AWS Secrets Manager.

Pre-requisites

This guide is only applicable if you are hosting the Mobb broker on AWS ECS. For a regular docker container deployment, refer to the main broker deployment guide.

Workflow of managing broker token with AWS Secrets Manager

Step 1 - During token rotations, your Mobb organization’s administrator will generate a new Mobb Broker Token in the Mobb application via the UI (coming soon) or GraphQL API

Step 1.1 (Optional) - If required, the new token can be configured to be automatically shared across Mobb and your AWS Secrets Manager instances.

Step 2 - The token value obtained is stored in your AWS Secrets Manager

Step 3 - Mobb Broker hosted on ECS is configured to retrieve the new token value from the AWS Secrets Manager through the ECS Environment Variable automatic value retrieval feature. This can be achieved by setting the ECS Environment Variable parameter type to “ValueFrom” and the value to the Amazon Resource Name (ARN) of the AWS Secrets Manager secret. For more information, see the link:

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html

Here is a screenshot of the “valueFrom” parameter type in the AWS documentation:

Here is an example screenshot of the “ValueFrom” parameter type selection in the ECS environment variable configuration screen:

Additional Notes

The entire process can be fully automated via a cron job configured on your side. Mobb's engineering team can provide a sample script that can be loaded in your AWS environment (AWS Lambda, EC2, or ECS Scheduled Tasks), triggered on a periodic basis to ensure the token is automatically rotated prior to the defined expiry date (default is 3 months from the date the token was generated).