diff --git a/Dockerfile b/Dockerfile
index 75fa6d2a..2d010861 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -27,5 +27,8 @@ RUN sed -i -E 's@ErrorLog .*@ErrorLog /proc/self/fd/2@i' /etc/apache2/apache2.co
 
 RUN touch /etc/default/locale
 
+ADD https://github.com/silinternational/config-shim/releases/latest/download/config-shim.gz config-shim.gz
+RUN gzip -d config-shim.gz && chmod 755 config-shim && mv config-shim /usr/local/bin
+
 EXPOSE 80
 CMD ["/data/run.sh"]
diff --git a/README.md b/README.md
index e2e8ade1..b48fb072 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,26 @@ Backend API for Identity Provider Password Management
 8. You'll probably also want the web interface for this application which you can
    clone at <https://github.com/silinternational/idp-profile-ui>
 
+## Configuration
+By default, configuration is read from environment variables. These are documented
+in the `local.env.dist` file. Optionally, you can define configuration in AWS AppConfig.
+To do this, set the following environment variables to point to the configuration in
+AWS:
+
+* `AWS_REGION` - the AWS region in use
+* `APP_ID` - the application ID or name
+* `CONFIG_ID` - the configuration profile ID or name
+* `ENV_ID` - the environment ID or name
+
+In addition, the AWS API requires authentication. It is best to use an access role
+such as an [ECS Task Role](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html).
+If that is not an option, you can specify an access token using the `AWS_ACCESS_KEY_ID` and
+`AWS_SECRET_ACCESS_KEY` variables.
+
+The content of the configuration profile takes the form of a typical .env file, using
+`#` for comments and `=` for variable assignment. Any variables read from AppConfig
+will overwrite variables set in the execution environment.
+
 ### Additional setup for Linux & Mac
 1. Add entry to ```/etc/hosts``` for ```127.0.0.1 idp-pw-api.local```
 2. Run ```docker build -t idp-pw-api .```
diff --git a/application/run.sh b/application/run.sh
index e80cdae6..5d61b05f 100755
--- a/application/run.sh
+++ b/application/run.sh
@@ -16,7 +16,11 @@ if [[ $APP_ENV == "dev" ]]; then
     apt-get update && apt-get install php-xdebug
 fi
 
-apache2ctl -k start -D FOREGROUND
+if [[ -z "${APP_ID}" ]]; then
+  apache2ctl -k start -D FOREGROUND
+else
+  config-shim --app $APP_ID --config $CONFIG_ID --env $ENV_ID apache2ctl -k start -D FOREGROUND
+fi
 
 # endless loop with a wait is needed for the trap to work
 while true
diff --git a/local.env.dist b/local.env.dist
index 00e74509..15a3e408 100644
--- a/local.env.dist
+++ b/local.env.dist
@@ -17,6 +17,21 @@ IDP_NAME=
 #IDP_DISPLAY_NAME=
 
 
+# === AWS AppConfig ===
+
+# The AWS region in use
+AWS_REGION
+
+# The AppConfig Application ID (or name)
+APP_ID
+
+# The AppConfig Configuration Profile ID (or name)
+CONFIG_ID
+
+# The AppConfig Environment ID (or name)
+ENV_ID
+
+
 # === email template data ===
 
 # Email signature line, e.g. "Your friendly Help Desk team"