Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support secrets for ECS local containers #797

Closed
efekarakus opened this issue Jun 18, 2019 · 0 comments
Closed

Support secrets for ECS local containers #797

efekarakus opened this issue Jun 18, 2019 · 0 comments
Assignees
@efekarakus
Labels
ecs-local Issues related to the "local" subcommand. Proposal

Comments

@efekarakus
Copy link
Contributor

efekarakus commented Jun 18, 2019
edited
Loading

Summary

As a ECS local user that's specifying sensitive data in my task definition,
I want ECS local to also inject these secrets as environment variables to my local containers,
So that I can validate my container's logic is correct.

Proposed Design

1. Add the ssm or secretsmanager ARN as Docker Labels to each service

While translating the container definition to a Compose file part of local create, we don't want to store the value of a secret as plain text. We'll first add the ARN as a docker label:

// From task-definition.json
{
  "containerDefinitions": [{
    "secrets": [{
      "name": "environment_variable_name",
      "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:secret_name-AbCdEf"
    }]
  }]
}
# To docker-compose.local.yml
my-service:
  environment:
    <environment_variable_name>=${<container-name>_<environment_variable_name}}
  labels:
    ecs-local.secret.enviroment_variable_name: "arn:aws:secretsmanager:region:aws_account_id:secret:secret_name-AbCdEf"

2. Preprend docker-compose up with secret's value

Part of local up now the we can parse the labels and fetch the value of each secret, and then we can run docker-compose up as:

<container-name>_<enviroment_variable_name>=VALUE_OF_SECRET docker-compose -f docker-compose.local.yml up -d

Acceptance Criteria

  • Run ecs-cli local up --task-def <REMOTE> with a task definition with multiple secrets
    • Then docker exec <CONTAINERID> env must output the value of the secret
@efekarakus efekarakus self-assigned this Jun 18, 2019
efekarakus added a commit to efekarakus/amazon-ecs-cli that referenced this issue Jun 19, 2019
@efekarakus
Add the ssm or secretsmanager ARN as Docker Labels to each service
329098c 
See aws#797 on how these labels can be used by "local up" to pass the
values of the secrets to the containers.
@efekarakus efekarakus mentioned this issue Jun 19, 2019
Merged
7 tasks
efekarakus added a commit to efekarakus/amazon-ecs-cli that referenced this issue Jun 19, 2019
@efekarakus
Add the ssm or secretsmanager ARN as Docker Labels to each service
e327623 
See aws#797 on how these labels can be used by "local up" to pass the
values of the secrets to the containers.
@efekarakus efekarakus mentioned this issue Jun 24, 2019
Merged
7 tasks
@efekarakus efekarakus added the ecs-local Issues related to the "local" subcommand. label Jun 25, 2019
@SoManyHs SoManyHs removed the Task label Aug 14, 2019
@remidebette remidebette mentioned this issue Jan 21, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efekarakus efekarakus

Labels
ecs-local Issues related to the "local" subcommand. Proposal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@clareliguori @efekarakus @SoManyHs