How to inject value from AWS parameter store through CloudFormation in ECS ContainerDefinitions

Question

I'm creating a cloud formation code to build ECS cluster. Where I need to fetch some values from AWS parameter store. I don't find any example code sample for the same. Look like 'ValueFrom' in cloudFormation don't support!!

Can anyone confirm?

Following I'm trying to use:

  ContainerDefinitions:
    - Name: !Ref ServiceName
      Image: !Ref Image
      PortMappings:
        - ContainerPort: !Ref ContainerPort
      Environment:
      - Name: DB_HOST
        Value: arn:aws:ssm:us-east-2:111111111111:parameter/dev/rds/DB_HOST
      - Name: DB_PASSWORD
        Value: arn:aws:ssm:us-east-2:111111111111:parameter/dev/rds/DB_PASSWORD
      - Name: DB_PORT
        Value: 5432

In the above case, CloudFormation codes executed without error but it's treated DB_HOST and DB_PASSWORD as simple/direct text don't take form parameter store, check the screenshot highlighted:

So it only works for DB_PORT and doesn't work for DB_HOST and DB_PASSWORD until I manually change 'value' (highlighted in the screenshot) to 'valueFrom' like below picture:

Basically I'd like to use 'valueFrom' option through CloudFormation !!

I also tried:

     Environment:
      - Name: DB_HOST
        ValueFrom: arn:aws:ssm:us-east-2:111111111111:parameter/dev/rds/DB_HOST

But it's not supported by cloud formation and through error !!

Answer 1

After you manually change your Environment variables to ValueFrom, you can checkout your jason file in the TaskDefinition, it shows there as secrets, hence you should use Secrets instead of Environment in the ContainerDefinitions section of your CFT Checkout the screenshot I attached

Answer 2

You shoudn't be using Environment for that. Instead there is dedicated section called Secrets.

Using this section you can pass your secrets to the containers. For example:

  Secrets:
      - Name: DB_HOST
        ValueFrom: arn:aws:ssm:us-east-2:111111111111:parameter/dev/rds/DB_HOST