How to pass rds.DatabaseCluster secrets as environment variable in a ECS Task

Question

I'm trying to set RDS Aurora credentials as environment variables to an ECS Task. Initially I'm passing it as plaintext on environments. I know the proper way to do it is using secrets but ApplicationLoadBalancedTaskImageOptions expects a Secret and the rds.DatabaseCluster returns another type of it. What is the correct way to manage the credentials on this case?

• db is a rds.DatabaseCluster instance

task_image_options=ecs_patterns.ApplicationLoadBalancedTaskImageOptions(
                image=ecs.ContainerImage.from_registry("sonarqube:8.2-community"),
                container_port=9000,
                # FIXME: by documentation this is the right way to pass creds, however this fail, the database secret is not the same type than the expected
                # secrets={
                #     "sonar.jdbc.password": ecs.Secret.from_secrets_manager(self.db.secret)
                # },
                environment={
                    'sonar.jdbc.url': url,
                    "sonar.jdbc.username": username,
                    "sonar.jdbc.password": self.db.secret.secret_value_from_json("password").to_string() #plaintext, FIXME
                }
            )

Answer 1

Usig the ts example from @mchlfchr, I got this working in python as follows

Creating a role and granting read permission on database credential

        #Create iam Role for Task
        self.task_role = iam.Role(
            self,
            id= "SonarTaskRole",
            role_name= "SonarTaskRole",
            assumed_by= iam.ServicePrincipal(service= "ecs-tasks.amazonaws.com"),
            managed_policies= [
                iam.ManagedPolicy.from_aws_managed_policy_name("service-role/AmazonECSTaskExecutionRolePolicy")
            ]
        )
        #Grant permission to the Task to read secret from SecretsManager
        self.db_secret.grant_read(self.task_role)

And passing as a secret:

                secrets={
                    "sonar.jdbc.username": ecs.Secret.from_secrets_manager(self.db_secret, field="username"),
                    "sonar.jdbc.password": ecs.Secret.from_secrets_manager(self.db_secret, field="password")
                },

Answer 2

What a dejavu!

I posted an article about this topic two days ago:

https://medium.com/@mchlfchr/i-tell-you-a-secret-provide-database-credentials-to-an-ecs-fargate-task-in-aws-cdk-339df4e3d071

Here you clearly can spot the differences between using secrets and environment variables.

Answer 3

If you want to consume value from the secret store then it should secrets not environment variable.

Replace environment variable with secrets like below

 "secrets": [
              {
               "name": "MY_KEY",
               "valueFrom": "arn:aws:secretsmanager:us-west-2:12345656:secret:demo-0Nlyli"
                }
            ]

Just place the ARN and ECS will inject the value during run time.

To set the Environment variable you need

"environment": [
                {
                    "name": "KEY",
                    "value": "VALUE"
                }
            ]

so in your case

"environment": [
                {
                    "name": "sonar.jdbc.url",
                    "value": "some-url"
                }
            ]

Answer 4

If you want to pass it as a secret, you first have to store the value in either AWS SecretsManager or AWS Parameter Store. Then you pass the ARN of the secret, from one of those two services, as the value in the ECS task definition and ECS will automatically pull the real value from SecretsManager or Parameter Store when it instantiates the container. This is documented here.