Config

September 5, 2025 ยท View on GitHub

Generally we encourage teams to pick the right technology for the task, but there are advantages to having consistency in how we manage our configuration.

It is recommended that apps use AWS Parameter Store for storing configuration.

Advantages of using Parameter Store:

  1. Granular read/write access
  2. Free to use
  3. Versioned
  4. Encryption at rest
  5. Monitoring of access
  6. Integrates with Cloudformation

Scala config

Our own simple-configuration library provides a convenient way to load config from Parameter Store and into Typesafe config objects. The readme includes an example of using it in a Play app.

For existing projects which currently have their config stored in Typesafe (HOCON) format files, you can migrate to Parameter Store using the parameter-store-migration tool.

Config files in scala projects

It is up to developers to decide how to use config files, but some (optional) common usages are:

  • Use reference.conf for default values
  • Use application.conf for non-secret items

It is possible to use config files as a way of documenting all config items, with values overridden by Parameter Store.

Lambdas

Lambdas may also use Parameter Store. It is possible to have config passed in as environment variables directly from Parameter Store, but we recommend fetching from the Parameter Store at runtime, especially for sensitive values. This is because:

  1. changes to the parameter might not be picked up by Cloudformation, and
  2. environment variables might be exposed in other contexts outside of the Lambda runtime, which makes them unsuitable for storing sensitive information.

Examples: fetching from Parameter Store and from Secrets Manager at runtime using the TypeScript sdk

Secret rotation

AWS Secrets Manager can perform secret rotation automatically for some AWS services.

For Play secret rotation you can use play-secret-rotation (which doesn't use Secrets Manager).

Config is injected on your application starting

We recommend and expect that config would be injected when your application starts. This ensures that we can change config values in Parameter Store, and only need to redeploy the application to see that change, rather than rebuild, or through another process.