Clement
Reputation: 4811
Updating ECS container without disclosing task definition environment variables
I was looking at this post on how to update a container of an ecs service. It requires me to pass in a JSON file with the task definition. My only worry is that if I have this on a CI/CD platform, I will have to commit my task definition, which contains secrets in the environment variables section.
Upvotes: 0
Views: 697
Answers (1)
Rik Turnbull
Reputation: 204
You should consider using AWS Parameter Store and chamber as described in this blog: https://aws.amazon.com/blogs/mt/the-right-way-to-store-secrets-using-parameter-store/
Briefly, the steps can be summarized as:
- Install
chamberlocally where you can run it with suitable AWS privileges. - Create a KMS key named
parameter_store_key. - Run
chamber write <service> <key> <value>to addkey=valueinto Parameter Store (<service>is a label for your application). - Assign your ECS Task an IAM Role that has permission to access the Parameter Store parameter and KMS key.
- Install
chamberinto your docker image. - Update the
ENTRYPOINTof your docker image to runchamber exec <service> -- yourapp. - The Parameter Store parameters for
<service>will now be available to your app in the environment.
Upvotes: 2
Related Questions
- Update Environment Variable Secrets in an ECS Container
- how to provide environment variables to AWS ECS task definition?
- Updating rather than replacing ECS Task Definition with CloudFormation
- How to run AWS ECS Task overriding environment variables
- How to set up secrets in ECS task definition for container environment variable?
- How to pass variables through to Docker container using the same ECS task definition to drive multiple environments
- How should I pass sensitive environment variables to Amazon ECS tasks?
- ECS: Environment variables set in task but not present in container
- Passing EC2 parameter store variables to an ECS task as environment variables
- How to specify sensitive environment variables with ECS CLI and ECS tasks?