Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How should I pass sensitive environment variables to Amazon ECS tasks?

What is the recommended way to pass sensitive environment variables, e.g. passwords, to Amazon ECS tasks? With Docker Compose, I can use key-only environment variables, which results in the values being read from the OS environment. I can't see any corresponding method for ECS task definitions however.

like image 449
aknuds1 Avatar asked Feb 13 '16 17:02

aknuds1


1 Answers

Approach 1:

You can use Parameter Store to store the variables. If you store them as SecureString, the values will be encrypted.

You can reference them as environment variables in the task definition.

You need to retrieve them in the container startup script

value_from_parameter_store =`aws ssm get-parameter --name $parameter_store_key --with-decryption --output text --query Parameter.Value --region $REGION `

You can also mention parameter_store_key as an environment variable. so that you can use $parameter_store_key

Example

Dockerfile:

FROM ubuntu
//some other steps
CMD ["sh","/startup.sh"]

startup script:

#! /bin/bash
export db_password =`aws ssm get-parameter --name $parameter_store_key --with-decryption --output text --query Parameter.Value --region $REGION `
// Please note that above line has `(backtick) 
// Do other stuff and use this password 

Put parameter in SSM:

aws ssm put-parameter --name 'db_password' --type "SecureString" --value 'P@ssW%rd#1'

Docker run command:

docker run -e parameter_store_key=db_password -e REGION=us-east-1 <docker_image>

Approach 2:

Recently AWS announced secrets support in ContainerDefinition for ECS Using Secrets in ECS

like image 89
Gangaraju Avatar answered Sep 18 '22 01:09

Gangaraju