Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to use only password of secret from RDS in ECS #5665

Closed
konstantinj opened this issue Jan 6, 2020 · 5 comments · Fixed by #6435
Closed

How to use only password of secret from RDS in ECS #5665

konstantinj opened this issue Jan 6, 2020 · 5 comments · Fixed by #6435
Assignees
@SoManyHs @piradeepk
Labels
@aws-cdk/aws-ecs Related to Amazon Elastic Container @aws-cdk/aws-rds Related to Amazon Relational Database effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. in-progress This issue is being actively worked on.

Comments

@konstantinj
Copy link

❓ General Issue

I wonder what's the proposed way to use the generated secret from an rds instance/cluster.

const database = new rds.DatabaseCluster(this, 'DatabaseCluster', {
            removalPolicy: RemovalPolicy.DESTROY,
            defaultDatabaseName: scope.getConfig(this, 'wordpressDbName'),
            masterUser: {
                username: 'wordpress',
            },
            instances: 1,
            engine: rds.DatabaseClusterEngine.AURORA,
            instanceProps: {
                instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.SMALL),
                vpc: vpc,
            }
        })

In ECS I would like to get only the password. All other information is known anyway.

WORDPRESS_DB_PASSWORD: ecs.Secret.fromSecretsManager(database.secret?.secretValueFromJson('password')),

but this does not work. Modifications inside the container should not be the solution.

Environment

  • CDK CLI Version: 1.19.0
  • Module Version: 1.19.0
@konstantinj konstantinj added the needs-triage This issue or PR still needs to be triaged. label Jan 6, 2020
@jogold
Copy link
Contributor

jogold commented Jan 6, 2020

Sadly this is currently not possible without code modifications inside the conainter, see aws/containers-roadmap#385

@SomayaB SomayaB added @aws-cdk/aws-ecs Related to Amazon Elastic Container @aws-cdk/aws-rds Related to Amazon Relational Database labels Jan 7, 2020
@SomayaB SomayaB added the feature-request A feature should be added or improved. label Jan 7, 2020
@konstantinj
Copy link
Author

Got a workaround:

const wordpressDbPasswordSecret = new Secret(this, 'wordpressDbPassword', {
            secretName: '/' + [this.account, this.stackName, 'wordpressDbPassword'].join('/'),
            generateSecretString: {
                passwordLength: 20,
            }
        })

        const database = new rds.DatabaseCluster(this, 'DatabaseCluster', {
            removalPolicy: RemovalPolicy.DESTROY,
            defaultDatabaseName: 'wordpress',
            masterUser: {
                username: 'wordpress',
                password: SecretValue.secretsManager(wordpressDbPasswordSecret.secretArn),
            },
            instances: 1,
            engine: rds.DatabaseClusterEngine.AURORA,
            instanceProps: {
                instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.SMALL),
                vpc: vpc,
                vpcSubnets: {
                    subnetType: ec2.SubnetType.PRIVATE,
                },
            },
        })

@jogold
Copy link
Contributor

jogold commented Jan 7, 2020

This indeed works but note that you won't be able to rotate your DB password using the rotation application with this workaround.

@hencrice hencrice removed the needs-triage This issue or PR still needs to be triaged. label Jan 15, 2020
@konstantinj
Copy link
Author

https://aws.amazon.com/about-aws/whats-new/2020/02/amazon-ecs-now-supports-aws-secrets-manager-version-and-json-keys/

jogold added a commit to jogold/aws-cdk that referenced this issue Feb 25, 2020
@jogold
feat(ecs): secret JSON key for environment variables
810e93d 
Amazon Elastic Container Service now supports reading AWS Secrets Manager secrets from a key within a JSON object.

See https://aws.amazon.com/about-aws/whats-new/2020/02/amazon-ecs-now-supports-aws-secrets-manager-version-and-json-keys/

Closes aws#5665
@jogold jogold mentioned this issue Feb 25, 2020
Merged
@SomayaB SomayaB added the in-progress This issue is being actively worked on. label Feb 25, 2020
@ogrodnek
Copy link

ogrodnek commented Apr 2, 2020

Would be great to get the json key support for ECS secrets!

@MrArnoldPalmer MrArnoldPalmer added the effort/medium Medium work item – several days of effort label Apr 6, 2020
@mergify mergify bot closed this as completed in #6435 Apr 6, 2020
mergify bot pushed a commit that referenced this issue Apr 6, 2020
@jogold
feat(ecs): secret JSON key for environment variables (#6435)
97959f6 
feat(ecs): secret JSON key for environment variables

Amazon Elastic Container Service now supports reading AWS Secrets Manager secrets from a key within a JSON object.

See https://aws.amazon.com/about-aws/whats-new/2020/02/amazon-ecs-now-supports-aws-secrets-manager-version-and-json-keys/

Closes #5665
horsmand pushed a commit to horsmand/aws-cdk that referenced this issue Apr 8, 2020
@jogold @horsmand
feat(ecs): secret JSON key for environment variables (aws#6435)
06bc158 
feat(ecs): secret JSON key for environment variables

Amazon Elastic Container Service now supports reading AWS Secrets Manager secrets from a key within a JSON object.

See https://aws.amazon.com/about-aws/whats-new/2020/02/amazon-ecs-now-supports-aws-secrets-manager-version-and-json-keys/

Closes aws#5665
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SoManyHs SoManyHs

@piradeepk piradeepk

Labels
@aws-cdk/aws-ecs Related to Amazon Elastic Container @aws-cdk/aws-rds Related to Amazon Relational Database effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. in-progress This issue is being actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(ecs): secret JSON key for environment variables jogold/aws-cdk
8 participants
@ogrodnek @hencrice @konstantinj @MrArnoldPalmer @jogold @SomayaB @SoManyHs @piradeepk