Search code examples
amazon-web-servicesamazon-ecsaws-fargateaws-secrets-manager

Retrieve all my AWS Secret Manager in my Fargate Container

I'm using AWS ECS service to run my Docker containers (4 containers)

Also used Secret Manager for storing and retrieve Environment Variables.

I would like to pass my secret manager ARN. So the containers will access all my env vars without adding key=value in my task definition again. (avoid repeating my self)

I Googled and I found the following solution, but I'm not sure if it's what I'm looking for:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "arn:aws:secretsmanager:region:aws_account_id:secret:MySecretName"
        }
    ]
}

I want to avoid: ` I want to avoid :

"secrets": [
    {
        "name": "MySecretEnvVariable1",
        "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:MySecretName"
    },
    {
        "name": "MySecretEnvVariable2",
        "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:MyOtherSecret"
    }
]

Expected: I don't want to repeat my self by entering key=value in the task definition again, since all my secrets are already in AWS Secret Manager, I want to pass the ARN and the container should be able to access my secrets

Solution

  • That IAM policy you included in your question would indeed give the ECS task permission to access the secret in SecretsManager, as long as you included that IAM policy in the ECS Task Execution Role.

    That just gives it permission though. To have ECS pass the actual secret value into your container, you need to configure the secrets in the task definition and then ECS will pass the value of those secrets into the container as environment variables.

    Regarding your updated question:

    If all you want to do is provide the code in your container the permission to access your secrets, then include that IAM policy in the ECS Task Role (not the task execution role). And include the Secret ARN as a regular environment variable string, not as an ECS Secret.

    Then your code will be responsible for taking the ARN from the environment variable, and calling the AWS SecretsManager API (via the AWS SDK for the programming language you are using) to pull in those secret values.