[ECS] [secrets]: support parameter name from AWS Secrets Manager #385
Comments
|
This came up in a recent conversation as if the feature already exists. If someone has documentation for how to implement this please drop a note here. It would be much appreciated. |
|
Ran into this issue earlier this week with RDS credentials generated by SecretsManager. The ECS ContainerDefinition.Secrets only support an Arn for CloudFormation offers support for "dynamic references" for SecretsManager of the form The downside of this approach is that it bakes the secret into the stack on create/update operations, meaning a rotation of the secret would not be picked up by new tasks until the stack is updated. |
|
I would love this functionality so we can have 1 secret in secrets manager per ECS task instead of 1 per every secret a task requires. |
|
Any updates on that @coultn ? Is it on roadmap? |
|
This is something really nice because it would avoid unnecessary costs. For example: Imagine that, to access an API, we should inform username and password. We could simply store them together in one secret: Secret name: prod/api/trackify {
"username": "myusername",
"password": "mypassword"
}With the current limitation, we can store each json property on its own secret, incurring in more costs: Secret name: prod/api/trackify/username Secret name: prod/api/trackify/password |
Apologies for the delay in responding - we are aware of the request and are evaluating the priority. Additional thumbs-up on the issue are always welcome and we do pay attention to that when prioritizing. |
|
Also note that this requirement (one plaintext value per secret) is incompatible with the key rotation mechanisms and secret target attachments (eg RDS attachment, which requires a JSON structure to add the host/engine/port values). This makes the implementation particularly confusing. |
|
I agree that this would be a great option to have in ECS/Fargate. Maybe a new setting like In the mean time, we created a docker shim that can do this. We also use parameter store to achieve this but would prefer to standardize on Secrets Manager. |
|
Heads up that CodeBuild team just released exactly this with the following format. The ECS team should be talking to the CodeBuild team about these type of things, you guys are solving a lot of the same problems. secret-id:json-key:version-stage:version-id |
for roadmap issue aws#385 aws/containers-roadmap#385 this commit adds the ability for customers to add parameters to the secretsmanager ARN specified in containers. agent will be able to retrieve secret by version or retrieve part of a secret by json key. this commit also fixes a minor issue breaking go vet in an unrelated test.
for roadmap issue aws#385 aws/containers-roadmap#385 this commit adds the ability for customers to add parameters to the secretsmanager ARN specified in containers. agent will be able to retrieve secret by version or retrieve part of a secret by json key. this commit also fixes a minor issue breaking go vet in an unrelated test.
for roadmap issue aws#385 aws/containers-roadmap#385 this commit adds the ability for customers to add parameters to the secretsmanager ARN specified in containers. agent will be able to retrieve secret by version or retrieve part of a secret by json key. this commit also fixes a minor issue breaking go vet in an unrelated test.
for roadmap issue aws#385 aws/containers-roadmap#385 this commit adds the ability for customers to add parameters to the secretsmanager ARN specified in containers. agent will be able to retrieve secret by version or retrieve part of a secret by json key. this commit also fixes a minor issue breaking go vet in an unrelated test.
for roadmap issue aws#385 aws/containers-roadmap#385 this commit adds the ability for customers to add parameters to the secretsmanager ARN specified in containers. agent will be able to retrieve secret by version or retrieve part of a secret by json key. this commit also fixes a minor issue breaking go vet in an unrelated test.
for roadmap issue aws#385 aws/containers-roadmap#385 this commit adds the ability for customers to add parameters to the secretsmanager ARN specified in containers. agent will be able to retrieve secret by version or retrieve part of a secret by json key. this commit also fixes a minor issue breaking go vet in an unrelated test.
|
Assuming this release addressed ask here? Open while AWS add support to CloudFormation? |
|
@rich4j This is supported in CloudFormation now. We will keep this issue open while we are adding support for Fargate tasks in ECS. |
Hi there. Thanks for response. Does this mean that the feature is only available for ECS tasks using EC2 launch type? Don't think that comes across clearly in release and docs. |
|
Correct, it is EC2 only for now, as stated here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-secrets.html |
|
@coultn any prospect of this JSON key functionality trickling through to IAM to allow fine grain write permissions on individual fields, which would allow updating a secret without having access to retrieve it? |
|
I am blocked as ContainerDefinition:Secret doesn't support json key for ECS Fargate, it would be great appreciate if the support for Fargate can be added ASAP. |
I am using along with export DB_HOST=$(echo "$DB_SECRET" | jq .host)to extract the secrets inside my container. Not ideal, but it works. |
|
Hi Nick! DBMasterPassword: And Injecting it somehow into the ContainerDefinition: Is there a work around based on RDS, ECS/Fargate and CFN with or without key generation? Thanks! |
|
hi @ChristophEckerle |
|
Hi @srrengar, it is against our system architecture idea and would effect our setup. Is there no workaround available to pass DB secrets into a container definition on Fargate and in the same time to RDS? In RDS/Aurora Serverless it is not possible to put any ARN for the secrets like in Fargate: In Container Definition it is not possible to use resolve, like for Aurora Serverless/RDS: Every workaround is welcome! |
|
@ChristophEckerle This is my workaround Pass in an ENV variable without the specific secret (from a taskdefintion.json file) and then parse it in an entrypoint script like start.sh The ".endpoint" would be whatever the secret's label is. |
Unfortunately for tasks that use the Fargate launch type it is only supported to inject the full contents of a secret as an environment variable. Specifying a specific JSON key or version is not supported at this time. This limitation is being discussed on the link aws/containers-roadmap#385 Due the limitation on Fargate Launch Type, In regards of using ImportValue function on Cloudformation, you can import an value for example: ValueFrom: !ImportValue "Secretexport" *On my case, Secretexport is the Secret ARN And then you will need to parse the value, for example on the entrypoint: - "export MyPWD=$(echo ${passwordfromsm} | jq -r '.password')"
|
My case is that we did application services with ECS/EC2 and now we want to run some finite tasks on schedule with ECS/Fargate - and we've bumped into this problem. This is a small but crucial feature, I hope AWS prioritizes implementing it ASAP. |
|
I'm on the same boat. We just implemented secret rotation for RDS but now we need to change the way we get those secrets in the app, which is pretty painful. |
ghost
mentioned this issue
|
Any update on this? It would be really useful. |
|
+1, one monolithic secret in SSM injected as specific env vars seems to be the use case that makes sense for us coming off heroku to fargate. |
The video is 1h long. Could you please point us to the relevant part of the video? Thanks. |
|
I believe would be possible to support JSON keys by reverting this PR. We were using an older version of cdk (1.36.1) and were able to set environment variables for secret keys JSON keys through the ECS agent like such: I believe that a team upstream of CDK (CF? ECS?) must have added support to fix this issue. We tried upgrading to 1.62.0 and found that CDK was blocking deployments with "Cannot specify secret JSON field for a task using the FARGATE launch" despite the same Fargate task working right before the upgrade. |
@quickbooks2018 Just to be clear, are you saying that adding this policy makes parameter names from secrets work again? That kinda makes me wonder why it was disabled in the first place (in the PR mentioned above). I assumed it was not safe, or not working correctly? |
I don't think @quickbooks2018's answer relates to the original question. The whole point of this thread is to find a way to pass a value from a secret when the secret is in JSON format, by specifying a key. The example he describes works but it's simply for string secrets rather than secrets stored as part of a JSON structure. |
|
@quickbooks2018 I am still not sure what you are suggesting here. If you are talking about programmatic access to secrets manager from within the application - there are neither doubts nor problems with that, but that's not the problem we discussing here. Here we are talking about the absence of a declarative way to pass secret values as JSON property via ECS Task definition, e.g. Secrets:
- Name: redshift_db_password
ValueFrom: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:some-secret-with-json-value:some-json-property::"UPDATE: I took some time and watched your video. You reference raw value from the secret manager, not the JSON property. Your suggestion is invalid, therefore. Curiously you yourself tell about this problem in your video and even reference this ticket, so not sure why you are confusing people here. |
|
Is there an update as to when this feature will be coming to Fargate? |
|
Totally agree that this is a big gap and look forward to a solution... If you can live with Parameter Store, securely injecting single-values as secrets/env in the task definition works just fine. |
|
@jonathan-atom Yes, we are already leveraging workarounds, but we want to get rid of them. Since this works for classic ECS, it needs to get rolled out to Fargate for parity. |
|
This would indeed really help! |
|
Hi everyone, thank you for your patience. This feature is now available in Fargate as of today. |
Fargate tasks running on platform version 1.4 can now reference a specific JSON field of a secret stored in Secrets Manager. Remove the error in `ContainerDefinition` and add a check on the platform version in `FargateService`. See https://aws.amazon.com/about-aws/whats-new/2020/11/aws-fargate-for-amazon-ecs-launches-features-focused-on-configuration-and-metrics/ See aws/containers-roadmap#385 (comment) Closes #11341 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
and others
Tell us about your request
I want to be able to inject Secret Key item from Secrets Manager to ECS
container_definitions.secretsWhich service(s) is this request for?
ECS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
In task definition I have the following configuration:
but it gets injected as whole json object with other parameters:
Is it possible to get only one value from the secret?
Thank you
The text was updated successfully, but these errors were encountered: