Pass Secrets Manager secrets programmatically in Amazon ECS
Instead of hardcoding sensitive information in plain text in your application, you can use Secrets Manager to store the sensitive data.
We recommend this method of retrieving sensitive data because if the Secrets Manager secret is subsequently updated, the application automatically retrieves the latest version of the secret.
Create a secret in Secrets Manager. After you create a Secrets Manager secret, update your application code to retrieve the secret.
Review the following considerations before securing sensitive data in Secrets Manager.
-
Only secrets that store text data, which are secrets created with the
SecretStringparameter of the CreateSecret API, are supported. Secrets that store binary data, which are secrets created with theSecretBinaryparameter of the CreateSecret API are not supported. -
Use interface VPC endpoints to enhance security controls. You must create the interface VPC endpoints for Secrets Manager. For information about the VPC endpoint, see Create VPC endpoints in the AWS Secrets Manager User Guide.
-
The VPC your task uses must use DNS resolution.
-
Your task definition must use a task role with the additional permissions for Secrets Manager. For more information, see Amazon ECS task IAM role.
Create the Secrets Manager secret
You can use the Secrets Manager console to create a secret for your sensitive data. For information about how to create secrets, see Create an AWS Secrets Manager secret in the AWS Secrets Manager User Guide.
Update your application to programmatically retrieve Secrets Manager secrets
You can retrieve secrets with a call to the Secrets Manager APIs directly from your application. For information, see Retrieve secrets from AWS Secrets Manager in the AWS Secrets Manager User Guide.
To retrieve the sensitive data stored in the AWS Secrets Manager, see Code examples for AWS Secrets Manager using AWS SDKs in the AWS SDK Code Examples Code Library.
