Comprehensive Guide to Setting Environment Variables in Amazon EC2: From Tags to Parameter Store

Introduction

In cloud computing environments, environment variable management is a critical aspect of application configuration. Amazon EC2, as a widely used cloud server service, offers multiple approaches to setting environment variables. Unlike Platform-as-a-Service (PaaS) offerings like Elastic Beanstalk, EC2 as Infrastructure-as-a-Service (IaaS) requires more manual methods. This article systematically introduces how to effectively set and manage environment variables in EC2 instances.

Automated Solution Using EC2 Tags as Environment Variables

EC2 tags are essential features for AWS resource management, capable of storing key-value pair information. Through automated scripts, these tags can be converted into environment variables, enabling centralized configuration management. Below is a comprehensive solution based on best practices:

#!/bin/bash
# Install necessary tools
sudo apt-get update
sudo apt-get install -y jq awscli

# Get instance ID
INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)

# Query instance tags
tags=$(aws ec2 describe-tags \
    --filters "Name=resource-id,Values=$INSTANCE_ID" \
    --output json)

# Convert tags to environment variables
echo "$tags" | jq -r '.Tags[] | "export \(.Key)=\(.Value)"' | while read line; do
    eval "$line"
    echo "Environment variable set: $line"
done

# Verify environment variables
echo "Current environment variables:"
env | grep -E "DB_|APP_" || echo "No relevant environment variables found"

The core logic of this script involves three steps: first obtaining the instance ID through the instance metadata service, then using AWS CLI to query all tags for that instance, and finally using the jq tool to parse JSON output and export as environment variables. The main advantages of this approach include:

• High Automation: No need to manually log into each instance to set environment variables
• Centralized Management: All configurations managed uniformly through AWS Console
• Version Control Friendly: Tag changes are traceable, facilitating rollbacks

Implementation Details and Technical Points

Using Instance Metadata Service

The EC2 instance metadata service provides a standard interface for accessing instance information from within the instance. Key endpoints include:

# Get instance ID
curl http://169.254.169.254/latest/meta-data/instance-id

# Get region information
curl http://169.254.169.254/latest/meta-data/placement/availability-zone

# Get IAM role information
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

This information is crucial for building dynamic configurations, particularly in automated deployment scenarios.

AWS CLI and Permission Configuration

For the script to work properly, AWS CLI and corresponding IAM permissions must be correctly configured. The following IAM policy is necessary:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeTags",
            "Resource": "*"
        }
    ]
}

AWS CLI configuration is typically completed via the aws configure command, requiring access key, secret key, default region, and output format.

Data Processing with jq Tool

jq is a powerful command-line tool for processing JSON data. Key operations in environment variable conversion include:

# Extract all tag key-value pairs
echo "$tags" | jq -r '.Tags[] | "\(.Key)=\(.Value)"'

# Filter tags with specific prefix
echo "$tags" | jq -r '.Tags[] | select(.Key | startswith("DB_")) | "export \(.Key)=\(.Value)"'

Alternative Solutions and Comparative Analysis

User Data Script Approach

Using EC2 user data to execute scripts during instance launch allows direct environment variable setting:

#!/bin/bash
# User data script example
echo "export DB_PORT=5432" >> /etc/environment
echo "export APP_ENV=production" >> /etc/profile.d/app_env.sh
chmod +x /etc/profile.d/app_env.sh

The limitation of this method is that configurations are hardcoded in scripts, lacking dynamism.

AWS Systems Manager Parameter Store

AWS Systems Manager Parameter Store offers more secure, version-controlled configuration management:

#!/bin/bash
# Get configuration from Parameter Store
DB_PORT=$(aws ssm get-parameter \
    --name "/app/production/DB_PORT" \
    --with-decryption \
    --query "Parameter.Value" \
    --output text)

export DB_PORT

Parameter Store supports encrypted parameters, version control, and fine-grained permission management, suitable for sensitive configuration management.

Manual Setup Method

For temporary debugging or simple scenarios, shell configuration files can be directly modified:

# Edit bash configuration file
echo "export DB_PORT=5432" >> ~/.bashrc
source ~/.bashrc

# Verify setup
echo $DB_PORT

This method is straightforward but lacks automation and centralized management capabilities.

Best Practices and Recommendations

Naming Conventions and Security

Environment variable naming should follow these principles:

• Use uppercase letters with underscore separation
• Add application prefixes to avoid conflicts (e.g., APP_DB_HOST)
• Use encrypted storage for sensitive information
• Avoid committing configuration files with sensitive information to version control

CI/CD Pipeline Integration

Integrate environment variable setup into CI/CD pipelines:

# Add environment variable setup stage in deployment script
- name: Set environment variables
  run: |
    ./scripts/setup-env-vars.sh
    source /etc/profile.d/app_env.sh

Monitoring and Validation

Implement monitoring mechanisms for environment variable setup:

#!/bin/bash
# Environment variable validation script
required_vars=("DB_PORT" "DB_HOST" "APP_ENV")

for var in "${required_vars[@]}"; do
    if [ -z "${!var}" ]; then
        echo "Error: Environment variable $var not set"
        exit 1
    else
        echo "$var=${!var}"
    fi
done

Common Issues and Solutions

Permission Issues

If scripts cannot retrieve tag information, check the following aspects:

1. Whether IAM role is correctly attached to EC2 instance
2. Whether IAM policy includes ec2:DescribeTags permission
3. Whether AWS CLI configuration is correct

Script Execution Timing

Ensure environment variables are set before application startup:

• Add scripts to system startup services (e.g., systemd)
• Execute in Docker container entrypoint scripts
• Run via cloud-init mechanism during instance launch

Multi-Environment Management

For multiple environments like development, testing, and production, recommendations include:

# Distinguish environments based on instance tags
ENVIRONMENT=$(aws ec2 describe-tags \
    --filters "Name=resource-id,Values=$INSTANCE_ID" \
              "Name=key,Values=Environment" \
    --query "Tags[0].Value" \
    --output text)

# Load corresponding environment configuration
CONFIG_PREFIX="/app/$ENVIRONMENT"

Conclusion

Setting environment variables in Amazon EC2 requires balancing automation, security, and maintainability. The automated solution based on EC2 tags provides a good balance, particularly suitable for scenarios requiring centralized management and dynamic configuration. With the evolution of AWS services, newer offerings like Systems Manager Parameter Store provide more powerful capabilities. Developers should choose the most appropriate solution based on specific requirements. Regardless of the chosen method, standardized configuration management processes should be established to ensure consistency and security of environment variables.