Hey everybody. I am currently running into an issue that I could use some help with if possible. I am trying to self-host growthbook on aws. I am creating the cloud formation using the CDK. I do not want to store the username and password of my database in plain text in the CDK, but because of how the CDK works, I cannot get the username and password out of the SSM parameters as strings until deploy time. That means that I cannot construct the MONGODB_URI environment variable in growthbook as a string from parameters stored in SSM. I was wondering if there was a way I could alter Growthbook to take the database username, password, and cluster endpoint as environment variables, and the construct the URI in the growthbook app. Or if maybe there is another solution I am not seeing.

@elegant-king-24193 I had the same problem. It is a problem with how GB handles the MONGODB_URI and would be so simple to fix in the code. I just ended up storing the MONGODB_URI fully formed in AWS Secrets Manager and then just set that as an environment variable. I can share my entire CDK code but I think this will help you:

:
    :
const secrets = {
      MONGODB_URI: ecs.Secret.fromSecretsManager(docDB, 'MONGODB_URI'),
      JWT_SECRET: ecs.Secret.fromSecretsManager(growthbookSecret, 'JWT_SECRET'),
      ENCRYPTION_KEY: ecs.Secret.fromSecretsManager(growthbookSecret, 'ENCRYPTION_KEY'),
      EMAIL_HOST_PASSWORD: ecs.Secret.fromSecretsManager(growthbookSecret, 'EMAIL_HOST_PASSWORD'),
      SECRET_API_KEY: ecs.Secret.fromSecretsManager(growthbookSecret, 'SECRET_API_KEY'),
    }
    :
    :
growthbookTask.addContainer('XYZGrowthBookContainer', {
      image,
      containerName,
      essential: true,
      logging: ecs.LogDrivers.awsLogs({
        streamPrefix: 'xyz-growthbook',
        logGroup,
      }),
      environment,
      secrets,
      portMappings: [{
        containerPort: 3000,
      }, {
        containerPort: 3100,
      }],
    })
    :
    :

Doing it this way obviously breaks some stuff but it solves the specific issue you are seeing. Here us a thread where I suggested a possible fix for the code: https://growthbookusers.slack.com/archives/C01T6Q1SVFV/p1695853665411299?thread_ts=1695783518.412269&cid=C01T6Q1SVFV

Hi @cuddly-finland-73937 thanks for the response 🙂 I don't know if I totally understand your solution. If you are making the docDb through the CDK, how are you managing to store the complete URI in the secrets manager? When I try to concatenate a string using the username and password of the database, I get the values of the tokens rather than the actual SecretValue. That is unless I write in plain text the username and password in the CDK, which I am trying to avoid. I would be fine with just passing the username, password, and cluster endpoint to growthbook and have it create the URI, but I'm not exactly sure how to edit the growthbook code and create a new image out of it using the updated code. It seems like a fairly simple fix when looking at the code.

You do not need to put the clear text U/P in your CDK code. It will pull it from secrets and set it in the environment variable as

MONGODB_URL

. I did have to put the entire MONGODB_URI string in the secrets.

Can you show me how you did it in your code? When I try to create a string using the username and password secrets to set the MONGODB_URI, I end up getting the token values as the string, rather than the secret values.

I had the same problem. That is why I put the fully formed

MONGODB_URI

in secrets and set that in the environment

Ah okay that is the same thing I have been doing. Is just a little weird unfortunately, as I still have to do that manually through the console, and I'd prefer to have the whole thing automated in the CDK. Thanks for the help!

Yes, it is super annoying and easy to fix in the code. It significantly reduces the security of running GB in ECS.