This document shows how to create a Secrets Manager secret, reference the secret in an Amazon ECS task definition, and then verify it worked by querying the environment variable inside a container showing the contents of the secret.
Created basic secret and stored two key/value pairs in the secrets. As shown below.
The key/value pairs to be stored in this secret are the environment variable values in our ECS container.
Note
see Creating a Basic Secret in the AWS Secrets Manager User Guide.
For Amazon ECS to retrieve the sensitive data from your Secrets Manager secret, we must have the Amazon ECS task execution role and reference it in our task definition. This allows the container agent to pull the necessary Secrets Manager resources. To update your task execution IAM role. Use the IAM console to update your task execution role with the required permissions.
- Open the IAM console.
- In the navigation pane, choose Roles.
- Search the list of roles for ecsTaskExecutionRole and select it.
- Choose Permissions and add inline policy.
- Choose the JSON tab and specify the following JSON text, ensuring that you specify the full ARN of the Secrets Manager secret you created in step 1.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"kms:Decrypt"
],
"Resource": [
"arn:aws:secretsmanager:region:aws_account_id:secret:secret_name",
"arn:aws:kms:region:aws_account_id:key/key_id"
]
}
]
}
- secretsmanager:GetSecretValue– with this permission to retrieve the secret from Secrets Manager.
- kms:Decrypt–Required only if your secret uses a customer managed key and not the default key.
We can use the Amazon ECS console to create a task definition that references a Secrets Manager secret. To create a task definition that specifies a secret Use the IAM console to update your task execution role with the required permissions.
- Open the Console.
- In the navigation pane, choose Task definitions.
- Choose Create new task definition, Create new task definition with JSON.
{
"taskDefinitionArn": "arn:aws:ecs:ap-south-1:319425611096:task-definition/ecs-secrets-poc",
"containerDefinitions": [
{
"name": "container-a",
"image": "public.ecr.aws/nginx/nginx:mainline-alpine3.18-perl",
"cpu": 0,
"portMappings": [],
"essential": true,
"command": [
"/bin/sh",
"-c",
"while true; do env; sleep 60; done"
],
"environment": [],
"mountPoints": [],
"volumesFrom": [],
"secrets": [
{
"name": "env",
"valueFrom": "arn:aws:secretsmanager:ap-south-1:319425611096:secret:poc/service-a/test-r1lGak:env::"
},
{
"name": "owner",
"valueFrom": "arn:aws:secretsmanager:ap-south-1:319425611096:secret:poc/service-a/test-r1lGak:owner::"
}
],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-create-group": "true",
"awslogs-group": "/ecs/ecs-secrets-poc",
"awslogs-region": "ap-south-1",
"awslogs-stream-prefix": "ecs"
}
},
"systemControls": []
}
],
"family": "ecs-secrets-poc",
"executionRoleArn": "arn:aws:iam::319425611096:role/ecsTaskExecutionRole",
"networkMode": "awsvpc",
"volumes": [],
"status": "ACTIVE",
"placementConstraints": [],
"compatibilities": [
"EC2",
"FARGATE"
],
"requiresCompatibilities": [
"FARGATE"
],
"cpu": "1024",
"memory": "2048",
"runtimePlatform": {
"cpuArchitecture": "X86_64",
"operatingSystemFamily": "LINUX"
},
"tags": []
}
- Choose Create.
We can use the Amazon ECS console to create a cluster with fargate options. As shown below.
Create a service with the same task definition which are created in Step 3 with below configuration. As shown in the below image.
We can verify all of the steps were completed successfully and the environment variable was created properly in our container. Check the logs. Refer below image.
Secrets are print in container
| References |
|---|
| 1. Retrieve Secrets Manager secrets through environment variables |
| 2. Specifying Sensitive Data Using Secrets Manager Secrets |