-
Notifications
You must be signed in to change notification settings - Fork 617
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: First class support for SSM parameter store as a secrets store #1209
Comments
Thanks for the feature request! It's added to our internal feature request tracker. :) |
+1 |
1 similar comment
+1 |
Hey @tomelliff, thanks for opening this issue! Secrets is one of the topics we've been thinking about internally and using SSM Secure Parameters is one of the implementations that we've started to look at. However, it's useful to think about this from the perspective of what the trust zones are and how that plays into the choice of appropriate technologies. Containers make it easy to have some levels of isolation and tend to be fairly secure by default (cgroups and namespaces plus a seccomp policy applied to limit syscalls). However, containers are also really flexible in that these security mechanisms can all be tuned or turned off, and we make those knobs available to you in your ECS task definition as well (the "privileged" and "linuxCapabilities" parameters, as well as the "securityOptions" parameter when you have a compatible Linux Security Module enabled). In ECS, we make it fairly easy to deploy multiple tasks to the same EC2 instance. If your security model is such that you want each task to be isolated from others, you should use the default configuration and not enable additional privileges for your tasks. If your security model is that the cluster represents how applications should be isolated from each other, you can take advantage of the isolation that EC2 instances provide to prevent one cluster from impacting another cluster. Here are some of the things we think about:
There are also some other implementations here that inform the way we think about this:
With all of that said, we're going to have to look at this from the perspective of making useful trade-offs; a ton of existing software expects secrets to be available in either environment variables or in files and we do want to make this feature useful with existing software too. I hope this helps shed some light on our thought process. We'd love feedback on everything I've written here to help guide our approach when we do build secret distribution. Sam |
+1 |
Meanwhile, I use https://github.com/springload/ssm-parent as an entrypoint for Docker to inject SSM parameters into a process environment. |
https://github.com/glassechidna/pstore is another tool which can be used as an entrypoint to get parameters from SSM. |
I'm also mentioning Chamber as I use it quite a bit: https://github.com/segmentio/chamber |
Similarly it would be nice to have a native way to interact with the new AWS Secrets Manager. |
++++1 |
+1 |
+++1 |
ECS needs to have support of SSM parameter reference in task definition. So many ugly hacks. Including issues with rate limiting when there are many containers booting up and calling a path namespace that could have 8 more keys. |
+1 |
7 similar comments
+1 |
+1 |
+1 |
+1 |
+1 |
+1 |
+1 |
+1 |
update: the prs for ssm parameter store integration via enviornment variables has been merged into our dev branch! will update this issue when once the feature is released. |
Instead of having each variable specified individually, would be nice to mention the namespace/path and all the variables falling under that namespace should be injected. With one variable per entry - the task definitions are to be updated each time a new variable is added, removed or renamed. Sure, this seems lousy with the risk that by mistake, the container might end up with huge number of parameters but flexibility comes with responsibility. Thoughts? |
@mohsinhijazee: we'll track this idea internally and update if we decide to move forward with it (or you'll see a pr i'm sure). hm but otherwise - do you think you could write a detailed proposal of how you think this should work and what the failure modes would look like. its always great to have direct input from users and is very helpful for working through our design process. we have some examples of proposals here. tbh we're still figuring out how to best empower users to contribute to design of features, but this feels like a good starting point. let me know if you have any questions, or even feel free to open a new issue to track this use case specifically. |
We are tracking secrets support for Fargate internally. I can't share dates at this time -- but I'll update this thread when changes are live. |
@CUBiKS We are tracking cf support for secrets internally. Once we get to know when it will be released, I will update the thread. |
@yumex93 Any updates since re:Invent about the ability to use something like "ValueFrom" as opposed to "Value" in the CF Environment object of key value pairs? I am specifically interested in the EC2 launch type. I am guessing the only option otherwise is to use something like mentioned above with an entry point script. |
What isn't clear to me is whether or not I can make API calls to Parameter Store or SSM to retrieve secrets from inside a process running in a Fargate based container? Until the Fargate platform supports SSM exported environment varialbes, I would be happy to make API calls from with inside my application code, is this a possible workaround in the meantime ? The reason I ask is because I tried calling SSM today from inside fargate and wound up with errors about AWS_CONTAINER_CREDENTIALS_RELATIVE_URI being empty? @petderek, @samuelkarp are we stuck with nothing for now? |
Actually after a bunch of reading, I realized that if setting Sorry for the noise. |
@pmyjavec cool stuff... However, I want to be clear that this is tangential to the actual feature request here. Fargate or not, I am aware that you can manually define environment variables for an ECS task to look up values from the SSM parameter store by using the "valueFrom" parameter flag provided in the console UI. The gap is that there is no way to do this outside of the console UI, such as in a cloud formation template. I am currently exploring utilizing some sort of entrypoint wrapper solution mentioned above, but I have some JVM based solutions, and some node solutions, so I really dont have a common 'environment' that could be written to execute these strategies. @yumex93 @petderek @samuelkarp - am I wrong here? |
@stguitar You should be able to make API calls to AWS services (including SSM Parameter Store) from within Fargate containers. You will need to ensure that you've specified an IAM role for your task. If you're having issues using IAM roles, you can open an issue or a support case. |
@samuelkarp Thanks for the tip! You are referring to using something like an entrypoint to fetch those upon container start correct? In other words, there still is no direct way like issue described at the top of this thread to specify the path in the env variable key pairing directly at this point? |
@stguitar Correct, this feature has not been released for Fargate yet. |
@samuelkarp I am actually not using Fargate :D I think there is some cross talk on this thread to make it hard to follow (at least in my opinion). are you saying this IS supported for EC2 launch types? |
My apologies. You can reference values in SSM Parameter Store in environment variables for the EC2 launch type today; documentation is available here. While we do not have support for this in CloudFormation yet, you can use the AWS Console, the AWS CLI, or the AWS SDK to create task definitions that use this feature. |
@samuelkarp cool link, so maybe im getting too excited here... So this link you shared has a snippet for a task definition
Is this not a CloudFormation snippet? This looks like its injecting parameter store values into the environment for the container? If this is the case, christmas came early. |
@stguitar - that is the json representation of a task-definition. |
@CUBiKS AH... well, rats! Ok, cool stuff. Thanks to everyone for clarifying this for me, and I look forward to the CloudFormation support. Is this the right place to keep up to date on that, and do you have any kind of timeline before I hack too much on getting an alternative solution in place? |
While the support for Fargate is on the way, can we at least have an error while creating a task definition with I've just spent a lot of time trying to figure out why my task could not be started. The error Also, adding that this is not supported for Fargate to the doc for |
This issue has been closed with the announcement of Fargate Platform Version 1.3 (https://aws.amazon.com/about-aws/whats-new/2018/12/aws-fargate-platform-version-1-3-adds-secrets-support/), but unfortunately this error still occurs when trying to create a service in the management console that uses tasks with secrets. |
EDIT: @bjornbos Is there a work around for this? I'm define the secrets in my ecs-params.yml with launch type FARGATE and deploying the service with ecs-cli |
@kueben Actually, you can use the secrets manager, but it requires a special trick as described in https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html So I created a secret in the secret manager with name a/b/c and gave that a plain text value, let's say "secretvalue". Then, in your Fargate json you add the secret in the following way:
Now it works :) |
@bjornbos I have this set up with a fargate task and there's no errors thrown but accessing the environment variable |
@steverecio Make sure you use "valueFrom" and not "value". I have the following IAM policy attached to the executor role
|
Hmm I have those IAM policies attached and I'm using I have the same settings but from the reference I see an ARN For reference I'm creating my values using terraform |
@steverecio Your reference is incorrect, should be using |
I can read without problems from Secret Manager using ssm but If I try to read directly from SecretManager using
My tasks can't be executed and I got the following message: The specified platform does not satisfy the task definition’s required capabilities. I'm using Fargate version 1.3.0, any ideas ? |
I am new to the ParamStore and ECS. It seems to me that the new task definitions can import the secrets as Environment variables as long as the task definition is static "secrets": [ This is fine if the Task needs to get a secret of a service account. Can TaskDefintion accept either User variables or environment variables?? "secrets": [ |
@bjornbos works fine for ssm also. Thanks |
No progress to get this functionality in CloudFormation? Link towards CloudFormation request: aws/containers-roadmap#97 (comment) |
I am also waiting for this functionality to be available in Cloudformation. |
It's "coming soon", follow that issue for updates. |
Summary
Use SSM parameter store as a secret store in a similar style to Kubernetes secrets.
Description
SSM parameter store currently works as a really low cost of entry secret store that allows applications with the appropriate IAM permissions to fetch and decrypt secrets at a given path. It's also used commonly by people running ECS who want to inject secrets into their containers at run time (to avoid baking them into containers and allowing for environment specific secrets) and recommended in some AWS blog posts.
Unfortunately this requires the application to fetch the secrets from SSM parameter store at start up or, probably more commonly, rely on an entrypoint script to fetch the secrets using the AWS CLI or something like confd.
This is a bit fiddly and also gets in the way when using a third party Docker image that has a useful entrypoint script that you don't want to have to extend to avoid drift between the official image's entrypoint script and your fork.
Ideally ECS would support having the ECS task read parameters from SSM parameter store at startup and inject them as environment variables or as volume mounts in tmpfs similar to Kubernetes.
I'm picturing something like this as a task definition:
where
/production/hello-world
is an SSM parameter that is optionally encrypted.Note that the task's IAM role must have permission to get the SSM parameter store (and decrypt it with the appropriate KMS key if it's encrypted).
This allows the ECS task's secrets to be separated from the application code and deployment parts and also means that users with read only access to the task definition can't easily view secrets that are injected as plain environment variables.
The text was updated successfully, but these errors were encountered: