I'm trying to set RDS Aurora credentials as environment variables to an ECS Task.
Initially I'm passing it as plaintext on environments
.
I know the proper way to do it is using secrets
but ApplicationLoadBalancedTaskImageOptions
expects a Secret
and the rds.DatabaseCluster
returns another type of it.
What is the correct way to manage the credentials on this case?
task_image_options=ecs_patterns.ApplicationLoadBalancedTaskImageOptions(
image=ecs.ContainerImage.from_registry("sonarqube:8.2-community"),
container_port=9000,
# FIXME: by documentation this is the right way to pass creds, however this fail, the database secret is not the same type than the expected
# secrets={
# "sonar.jdbc.password": ecs.Secret.from_secrets_manager(self.db.secret)
# },
environment={
'sonar.jdbc.url': url,
"sonar.jdbc.username": username,
"sonar.jdbc.password": self.db.secret.secret_value_from_json("password").to_string() #plaintext, FIXME
}
)
What a dejavu!
I posted an article about this topic two days ago:
Here you clearly can spot the differences between using secrets and environment variables.