Specifying sensitive data using Secrets Manager secrets in Amazon ECS
Amazon ECS allows you to inject sensitive data into your containers by storing your sensitive data in AWS Secrets Manager secrets and then referencing them in your container definition. For more information, see Pass sensitive data to an Amazon ECS container.
Learn how to create an Secrets Manager secret, reference the secret in an Amazon ECS task definition, and then verify it worked by querying the environment variable inside a container showing the contents of the secret.
Prerequisites
This tutorial assumes that the following prerequisites have been completed:
-
The steps in Set up to use Amazon ECS have been completed.
-
Your user has the required IAM permissions to create the Secrets Manager and Amazon ECS resources.
Step 1: Create an Secrets Manager secret
You can use the Secrets Manager console to create a secret for your sensitive data. In this tutorial we will be creating a basic secret for storing a username and password to reference later in a container. For more information, see Create an AWS Secrets Manager secret in the AWS Secrets Manager User Guide.
The key/value pairs to be stored in this secret is the environment variable value in your container at the end of the tutorial.
Save the Secret ARN to reference in your task execution IAM policy and task definition in later steps.
Step 2: Add the secrets permissions to the task execution role
In order for Amazon ECS to retrieve the sensitive data from your Secrets Manager secret, you must have the secrets permissions for the task execution role. For more information, see Secrets Manager or Systems Manager permissions.
Step 3: Create a task definition
You can use the Amazon ECS console to create a task definition that references a Secrets Manager secret.
To create a task definition that specifies a secret
Use the IAM console to update your task execution role with the required permissions.
Open the console at https://console.aws.amazon.com/ecs/v2
. -
In the navigation pane, choose Task definitions.
-
Choose Create new task definition, Create new task definition with JSON.
-
In the JSON editor box, enter the following task definition JSON text, ensuring that you specify the full ARN of the Secrets Manager secret you created in step 1 and the task execution role you updated in step 2. Choose Save.
-
{ "executionRoleArn": "
arn:aws:iam::
", "containerDefinitions": [ { "entryPoint": [ "sh", "-c" ], "portMappings": [ { "hostPort": 80, "protocol": "tcp", "containerPort": 80 } ], "command": [ "/bin/sh -c \"echo '<html> <head> <title>Amazon ECS Sample App</title> <style>body {margin-top: 40px; background-color: #333;} </style> </head><body> <div style=color:white;text-align:center> <h1>Amazon ECS Sample App</h1> <h2>Congratulations!</h2> <p>Your application is now running on a container in Amazon ECS.</p> </div></body></html>' > /usr/local/apache2/htdocs/index.html && httpd-foreground\"" ], "cpu": 10, "secrets": [ { "valueFrom": "aws_account_id
:role/ecsTaskExecutionRolearn:aws:secretsmanager:
", "name": "username_value" } ], "memory": 300, "image": "httpd:2.4", "essential": true, "name": "ecs-secrets-container" } ], "family": "ecs-secrets-tutorial" }region
:aws_account_id
:secret:username_value -
Choose Create.
Step 4: Create a cluster
You can use the Amazon ECS console to create a cluster containing a container instance to run the task on. If you have an existing cluster with at least one container instance registered to it with the available resources to run one instance of the task definition created for this tutorial you can skip to the next step.
For this tutorial we will be creating a cluster with one t2.micro
container instance using the Amazon ECS-optimized Amazon Linux 2 AMI.
For information about how to create a cluster for the EC2 launch type, see Creating an Amazon ECS cluster for the Amazon EC2 launch type.
Step 5: Run a task
You can use the Amazon ECS console to run a task using the task definition you created. For this tutorial we will be running a task using the EC2 launch type, using the cluster we created in the previous step.
For information about how to run a task, see Running an application as an Amazon ECS task.
Step 6: Verify
You can verify all of the steps were completed successfully and the environment variable was created properly in your container using the following steps.
To verify that the environment variable was created
-
Find the public IP or DNS address for your container instance.
Open the console at https://console.aws.amazon.com/ecs/v2
. -
In the navigation pane, choose Clusters, and then chosse the cluster you created.
-
Choose Infrastructure, and then choose the container instance.
-
Record the Public IP or Public DNS for your instance.
-
If you are using a macOS or Linux computer, connect to your instance with the following command, substituting the path to your private key and the public address for your instance:
$
ssh -i/path/to/my-key-pair
.pem ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com
For more information about using a Windows computer, see Connect to your Linux instance using PuTTY in the Amazon EC2 User Guide.
Important
For more information about any issues while connecting to your instance, see Troubleshooting Connecting to Your Instance in the Amazon EC2 User Guide.
-
List the containers running on the instance. Note the container ID for
ecs-secrets-tutorial
container.docker ps
-
Connect to the
ecs-secrets-tutorial
container using the container ID from the output of the previous step.docker exec -it
container_ID
/bin/bash -
Use the
echo
command to print the value of the environment variable.echo $username_value
If the tutorial was successful, you should see the following output:
password_value
Note
Alternatively, you can list all environment variables in your container using the
env
(orprintenv
) command.
Step 7: Clean up
When you are finished with this tutorial, you should clean up the associated resources to avoid incurring charges for unused resources.
To clean up the resources
Open the console at https://console.aws.amazon.com/ecs/v2
. -
In the navigation pane, choose Clusters.
-
On the Clusters page, choose the cluster.
-
Choose Delete Cluster.
-
In the confirmation box, enter delete
cluster name
, and then choose Delete. Open the IAM console at https://console.aws.amazon.com/iam/
. -
In the navigation pane, choose Roles.
-
Search the list of roles for
ecsTaskExecutionRole
and select it. -
Choose Permissions, then choose the X next to ECSSecretsTutorial. Choose Remove.
-
Open the Secrets Manager console at https://console.aws.amazon.com/secretsmanager/
. -
Select the username_value secret you created and choose Actions, Delete secret.