I spent sometime researching on this, but still not clear on how ECS environment variables are safe to use in terms of security but ENV & ENV-FILE options for docker or not?
For example: AWS ECS documentation states that add secrets to task definition and they will be available as container environment variables.
Docker documentation has similar language:
The environment variables set using ENV will persist when a container is run from the resulting image. You can view the values using docker inspect, and change them using docker run --env =.
Now, the question I am couldn't find answer for is, if both options setting environment variables within container (which means can be viewed by users when docker inspect), what is the advantage of going with AWS ECS environment variables?
What is the best strategy to get the variables (like dbuser, dbpassword) from AWS parameter store (or) SSM but don't set them to container environment variables (If possible without using docker entryscript)?
One of the option would be to pull the variables configuration via remote protocol(over HTTP API) within your application during startup.
Example - I have Spring Boot Java based docker containers running under ECS where I am pulling my configuration like dbuser and dbpassword using Spring Cloud Config. When my spring boot containers start, they load the necessary configuration with Spring Cloud Config and initialize the application.
Spring Cloud Config supports pulling the configuration from various sources such as Git, Vault and even AWS Parameter Store.
My App Container --> Spring Cloud Config Server Container --> Git/Vault/AWS Parameter Store
Here is sample guide for integrating Spring Cloud with AWS Parameter Store and some SO question which has sample Github repo. https://blog.trifork.com/2018/07/20/integrating-the-aws-parameter-store-with-spring-cloud/
Now this may not work for other platform containers but you can apply similar concept to your platform as well. Example : Spring Cloud Config is exposing a generic HTTP Rest API, you can pull necessary config from this API within your application which is written in other programming languages etc.,