What is the recommended way to pass sensitive environment variables, e.g. passwords, to Amazon ECS tasks? With Docker Compose, I can use key-only environment variables, which results in the values being read from the OS environment. I can't see any corresponding method for ECS task definitions however.
Approach 1:
You can use Parameter Store to store the variables. If you store them as SecureString
, the values will be encrypted.
You can reference them as environment variables in the task definition.
You need to retrieve them in the container startup script
value_from_parameter_store =`aws ssm get-parameter --name $parameter_store_key --with-decryption --output text --query Parameter.Value --region $REGION `
You can also mention parameter_store_key
as an environment variable. so that you can use $parameter_store_key
Example
Dockerfile:
FROM ubuntu
//some other steps
CMD ["sh","/startup.sh"]
startup script:
#! /bin/bash
export db_password =`aws ssm get-parameter --name $parameter_store_key --with-decryption --output text --query Parameter.Value --region $REGION `
// Please note that above line has `(backtick)
// Do other stuff and use this password
Put parameter in SSM:
aws ssm put-parameter --name 'db_password' --type "SecureString" --value 'P@ssW%rd#1'
Docker run command:
docker run -e parameter_store_key=db_password -e REGION=us-east-1 <docker_image>
Approach 2:
Recently AWS announced secrets support in ContainerDefinition for ECS Using Secrets in ECS
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With