gRPC over TLS using AWS NLB?

[yz]

We are trying to use public facing gRPC on AWS. We know that one solution is to use AWS ELB and do SSL offloading on ELB. But we are more inclined to use the new NLB which does not support SSL termination. Hence we have to manage the certificates on the backend servers.

Is there a good practice to manage all the certificates for the EC2 instances? When EC2 spins up a new instance, how can we configure credentials automatically on it? I know this is more like a question about AWS, but just want to know if there are a good solution out there.

[jdw...@gmail.com]

I put the credentials in an EFS that is attached to all the instances in my ECS cluster.

Then all apps just look in /efs/certs/

Only other note: be sure not to be silly like I was and try to use LetsEncrypt. Most other languages (java) do not have LetsEncrypt in their CA.