Are we sure that it must be stored in the app.yml file?
I did it like this;
# enter the app
cd /var/discourse
./launcher enter app
# pass the environment variables with the command at runtime
DISCOURSE_S3_BUCKET=my-bucket DISCOURSE_S3_REGION=us-east-1 DISCOURSE_S3_ACCESS_KEY_ID=abcdefg DISCOURSE_S3_SECRET_ACCESS_KEY=zxywqrst rake uploads:migrate_to_s3
I did it this way since I did not want my access key to stick around in the YAML file because I back that up in various places. Passing the AWS secret key through the environment is ~generally~ a little “safer”. I think, right? Not sure how long the scrollback history inside the app container persists, I am guessing it gets wiped after the container restarts.
I wanted to instead configure S3 access the “normal” way by storing the AWS Access Key and Secret Key in the server’s ~/.aws/credentials file, however, I am not entire sure how that would work with the app running inside the container.
Also, as per the guide here, you are instructed to just copy/paste the Access and Secret keys into the Discourse Admin Settings web UI and Save them there; it is not clear to me where these keys are getting stored in the back-end, since Saving them here does not populate the app.yml file with them. So I am guessing they are in the Postgres db somehwere? Hopefully encrypted, maybe?
I am hoping that by not storing the AWS Access and Secret keys in the app.yml, I will not run into any issues in the future? Is there some other process that requires the keys to live there?