How to pass rds.DatabaseCluster secrets as environment variable in a ECS Task

Question

I'm trying to set RDS Aurora credentials as environment variables to an ECS Task. Initially I'm passing it as plaintext on environments. I know the proper way to do it is using secrets but ApplicationLoadBalancedTaskImageOptions expects a Secret and the rds.DatabaseCluster returns another type of it. What is the correct way to manage the credentials on this case?

• db is a rds.DatabaseCluster instance

task_image_options=ecs_patterns.ApplicationLoadBalancedTaskImageOptions(
                image=ecs.ContainerImage.from_registry("sonarqube:8.2-community"),
                container_port=9000,
                # FIXME: by documentation this is the right way to pass creds, however this fail, the database secret is not the same type than the expected
                # secrets={
                #     "sonar.jdbc.password": ecs.Secret.from_secrets_manager(self.db.secret)
                # },
                environment={
                    'sonar.jdbc.url': url,
                    "sonar.jdbc.username": username,
                    "sonar.jdbc.password": self.db.secret.secret_value_from_json("password").to_string() #plaintext, FIXME
                }
            )

Answer 1

What a dejavu!

I posted an article about this topic two days ago:

https://medium.com/@mchlfchr/i-tell-you-a-secret-provide-database-credentials-to-an-ecs-fargate-task-in-aws-cdk-339df4e3d071

Here you clearly can spot the differences between using secrets and environment variables.