Infomation Source It was released a while ago, but it's been less than a year, so I'll write down what kind of update it is.
CloudFormation Release List 2019/6/13 Release Features
AWS::ECS::TaskDefinition The following properties are available for the ContainerDefinition property type: --Use the Secrets property to specify the secrets to pass to the container. Use the Tags property to apply it to your task definition to help you categorize and organize your metadata.
What's new?
Updated how to retrieve sensitive information from Secrets Manager secret or SSM Parameter Store in ECS task definitions
Before
Can only be set from JSON or web console
After
Can now be set in CloudFormation
↓ In other words
Complete with CloudFormation including not only cluster and service definitions but also task definitions
\ I'm happy /
How
If you extract only the relevant part, it will look like this
sample1.yml
Resources:
taskDefinition:
Properties:
ContainerDefinitions:
Secrets:
- Name: HOGE
ValueFrom: hoge
The whole task definition looks like this
sample2.yml
AWSTemplateFormatVersion: 2010-09-09
Parameters:
Abbreviation
Resources:
TaskDefinition:
Type: AWS::ECS::TaskDefinition
Properties:
RequiresCompatibilities:
- FARGATE
Cpu: 256
Memory: 512
ExecutionRoleArn: ecsTaskExecutionRole
Family: !Ref TaskFamilyName
NetworkMode: awsvpc
ContainerDefinitions:
- Name: !Ref TaskFamilyName
Image: !Sub ${AWS::AccountId}.dkr.ecr.ap-northeast-1.amazonaws.com/hoge
Command: !Ref TaskCommand
MemoryReservation: 128
ReadonlyRootFilesystem: true
Secrets:
- Name: SECURE_TEST_STRING
ValueFrom: secure_test_string
LogConfiguration:
LogDriver: awslogs
Options:
awslogs-group: !Ref TaskLogsGroup
awslogs-region: ap-northeast-1
awslogs-stream-prefix: ecs
Try
Register secure_test_string
and its value in the SSM parameter store.
And for example, if you write python code to be executed on ECS like this, you can receive the value.
sample3.py
from logging import getLogger
from os import environ as env
logger = getLogger(__name__)
logger.info('hoge / ' + env['SECURE_TEST_STRING'])
Result of deploying and executing ↓
You can get it: tada:
FYI https://aws.amazon.com/jp/blogs/news/securing-credentials-using-aws-secrets-manager-with-aws-fargate/ https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-secret.html
Recommended Posts