Reduce costly production bugs

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

ECS Environment and Secrets Management | Online Free DevTools by Hexmos

Manage environment variables and secrets for your ECS containers effectively. Learn how to configure AWS ECS task definitions for secure secret handling.

ECS Environment and Secrets Management
Understanding ECS Environment and Secrets

Managing environment variables and sensitive data like API keys, database credentials, and other secrets is crucial for the security and proper functioning of your containerized applications on Amazon Elastic Container Service (ECS). This section demonstrates how to configure your ECS task definitions to securely inject these values into your containers.

Configuring Environment Variables in ECS Task Definitions

Environment variables provide a way to pass configuration data to your containers without hardcoding them into your container images. In an ECS task definition, you can specify environment variables within the containerDefinitions array.

Securely Handling Secrets with AWS Systems Manager (SSM) Parameter Store

For sensitive information, it's best practice to use a secrets management service. AWS Systems Manager (SSM) Parameter Store is a popular choice for securely storing configuration data and secrets. You can reference parameters stored in SSM Parameter Store directly within your ECS task definitions.

Example ECS Task Definition for Environment and Secrets

The following JSON snippet illustrates a basic ECS task definition that includes both standard environment variables and secrets fetched from AWS SSM Parameter Store. This example uses an Nginx container. 

{
  "family": "app-with-secrets",
  "executionRoleArn":"arn:aws:iam::xxxxxxxxxxxx:role/ecs-exec-role",
  "taskRoleArn":"arn:aws:iam::xxxxxxxxxxxx:role/ecs-task-role",
  "containerDefinitions": [
    {
      "name": "nginx",
      "image": "nginx:latest",
      "memoryReservation": 256,
      "portMappings":[
        {
          "protocol":"tcp",
          "containerPort":3000,
          "hostPort":0
        }
      ],
      "environment": [
        {
          "name": "AWS_DEFAULT_REGION",
          "value": "eu-west-1"
        }
      ],
      "secrets": [
        {
          "name": "ACCESS_KEY_ID",
          "valueFrom": "arn:aws:ssm:eu-west-1:xxxxxxxxxxxx:parameter/myapp/prod/AWS_ACCESS_KEY_ID"          
        }
      ],
      "essential": true,
      "privileged": true
    }
  ]
}
Key Components Explained
  • executionRoleArn: The IAM role that the ECS agent assumes to make AWS API calls on your behalf.
  • taskRoleArn: The IAM role that is assumed by tasks when they are run. This role grants permissions to your application code within the container.
  • environment: An array of key-value pairs for standard environment variables.
  • secrets: An array where each object maps a container environment variable name to a reference for a secret stored in AWS Secrets Manager or SSM Parameter Store. The valueFrom field specifies the ARN of the secret.
Best Practices for Secrets Management

Always use a dedicated secrets management service like AWS Secrets Manager or SSM Parameter Store for sensitive data. Avoid hardcoding secrets directly into your task definitions or container images. Ensure that your IAM roles have the least privilege necessary to access these secrets.

For more in-depth information on AWS ECS and security best practices, refer to the official AWS ECS Developer Guide.

← Back to ecs cheatsheets All cheatsheets 🙏  Credits & Acknowledgments