skip to Main Content

I’m using AWS ECS service to run my Docker containers (4 containers)

Also used Secret Manager for storing and retrieve Environment Variables.

I would like to pass my secret manager ARN. So the containers will access all my env vars without adding key=value in my task definition again. (avoid repeating my self)

I Googled and I found the following solution, but I’m not sure if it’s what I’m looking for:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:region:aws_account_id:secret:MySecretName"
        }
    ]
}

I want to avoid:
`
I want to avoid :

"secrets": [
    {
        "name": "MySecretEnvVariable1",
        "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:MySecretName"
    },
    {
        "name": "MySecretEnvVariable2",
        "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:MyOtherSecret"
    }
]

Expected:
I don’t want to repeat my self by entering key=value in the task definition again, since all my secrets are already in AWS Secret Manager, I want to pass the ARN and the container should be able to access my secrets

2

Answers


  1. Chosen as BEST ANSWER

    What do you think about the following solution :

    #!/bin/bash
    
    # Define the name of the specific Secret Manager
    SECRET_MANAGER_NAME="YourSecretManagerName"
    
    # Retrieve a list of secrets from the specific Secret Manager
    SECRET_NAMES=$(aws secretsmanager list-secrets --output json --query "SecretList[?Tags[?Key=='SecretManager' && Value=='$SECRET_MANAGER_NAME']].Name")
    
    # Loop through the secret names and fetch their values
    for SECRET_NAME in $SECRET_NAMES; do
        SECRET_VALUE=$(aws secretsmanager get-secret-value --secret-id $SECRET_NAME --query SecretString --output text)
        # Extract the secret name without the prefix
        ENV_VAR_NAME=$(basename $SECRET_NAME)
        # Set the secret value as an environment variable
        export $ENV_VAR_NAME="$SECRET_VALUE"
    done
    
    # Execute your main application process here
    exec "$@"
    

  2. That IAM policy you included in your question would indeed give the ECS task permission to access the secret in SecretsManager, as long as you included that IAM policy in the ECS Task Execution Role.

    That just gives it permission though. To have ECS pass the actual secret value into your container, you need to configure the secrets in the task definition and then ECS will pass the value of those secrets into the container as environment variables.


    Regarding your updated question:

    If all you want to do is provide the code in your container the permission to access your secrets, then include that IAM policy in the ECS Task Role (not the task execution role). And include the Secret ARN as a regular environment variable string, not as an ECS Secret.

    Then your code will be responsible for taking the ARN from the environment variable, and calling the AWS SecretsManager API (via the AWS SDK for the programming language you are using) to pull in those secret values.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search