Passing confidential information from SSM to ECS with CloudFormation

Infomation Source It was released a while ago, but it's been less than a year, so I'll write down what kind of update it is.

CloudFormation Release List 2019/6/13 Release Features

AWS::ECS::TaskDefinition The following properties are available for the ContainerDefinition property type: --Use the Secrets property to specify the secrets to pass to the container. Use the Tags property to apply it to your task definition to help you categorize and organize your metadata.

What's new?

Updated how to retrieve sensitive information from Secrets Manager secret or SSM Parameter Store in ECS task definitions

Before

Can only be set from JSON or web console

After

Can now be set in CloudFormation

↓ In other words

Complete with CloudFormation including not only cluster and service definitions but also task definitions

\ I'm happy /

How

If you extract only the relevant part, it will look like this

sample1.yml


Resources:
  taskDefinition:
    Properties:
      ContainerDefinitions:
          Secrets:
            - Name: HOGE
              ValueFrom: hoge

The whole task definition looks like this

sample2.yml


AWSTemplateFormatVersion: 2010-09-09
Parameters:
Abbreviation

Resources:
  TaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      RequiresCompatibilities:
        - FARGATE
      Cpu: 256
      Memory: 512
      ExecutionRoleArn: ecsTaskExecutionRole
      Family: !Ref TaskFamilyName
      NetworkMode: awsvpc
      ContainerDefinitions:
        - Name: !Ref TaskFamilyName
          Image: !Sub ${AWS::AccountId}.dkr.ecr.ap-northeast-1.amazonaws.com/hoge
          Command: !Ref TaskCommand
          MemoryReservation: 128
          ReadonlyRootFilesystem: true
          Secrets:
            - Name: SECURE_TEST_STRING
              ValueFrom: secure_test_string
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: !Ref TaskLogsGroup
              awslogs-region: ap-northeast-1
              awslogs-stream-prefix: ecs

Try

Register secure_test_string and its value in the SSM parameter store. image.png

And for example, if you write python code to be executed on ECS like this, you can receive the value.

sample3.py


from logging import getLogger
from os import environ as env

logger = getLogger(__name__)

logger.info('hoge / ' + env['SECURE_TEST_STRING'])

Result of deploying and executing ↓ image.png

You can get it: tada:

FYI https://aws.amazon.com/jp/blogs/news/securing-credentials-using-aws-secrets-manager-with-aws-fargate/ https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-secret.html

Recommended Posts

Passing confidential information from SSM to ECS with CloudFormation
Create folders from '01' to '12' with python
Collecting information from Twitter with Python (Twitter API)
Convert from PDF to CSV with pdfplumber
Collecting information from Twitter with Python (Environment construction)
Back up from QNAP to Linux with rsync
From Python environment construction to virtual environment construction with anaconda
Select PDFMiner to extract text information from PDF
Python script to get note information with REAPER
Sometimes you want to access View information from Serializer with DRF (Django REST Framework)