AWS ECS environment variables

0
votes

I spent sometime researching on this, but still not clear on how ECS environment variables are safe to use in terms of security but ENV & ENV-FILE options for docker or not?

For example: AWS ECS documentation states that add secrets to task definition and they will be available as container environment variables.

Docker documentation has similar language:

The environment variables set using ENV will persist when a container is run from the resulting image. You can view the values using docker inspect, and change them using docker run --env =.

Now, the question I am couldn't find answer for is, if both options setting environment variables within container (which means can be viewed by users when docker inspect), what is the advantage of going with AWS ECS environment variables?

What is the best strategy to get the variables (like dbuser, dbpassword) from AWS parameter store (or) SSM but don't set them to container environment variables (If possible without using docker entryscript)?

2
amazon-web-servicesdockerdockerfileamazon-ecsaws-parameter-store

2 Answers

1
votes

One of the option would be to pull the variables configuration via remote protocol(over HTTP API) within your application during startup.

Example - I have Spring Boot Java based docker containers running under ECS where I am pulling my configuration like dbuser and dbpassword using Spring Cloud Config. When my spring boot containers start, they load the necessary configuration with Spring Cloud Config and initialize the application.

Spring Cloud Config supports pulling the configuration from various sources such as Git, Vault and even AWS Parameter Store.

My App Container --> Spring Cloud Config Server Container --> Git/Vault/AWS Parameter Store

Here is sample guide for integrating Spring Cloud with AWS Parameter Store and some SO question which has sample Github repo. https://blog.trifork.com/2018/07/20/integrating-the-aws-parameter-store-with-spring-cloud/

Why Integrating Spring Cloud application with the AWS Parameter Store return no property from param store?

Now this may not work for other platform containers but you can apply similar concept to your platform as well. Example : Spring Cloud Config is exposing a generic HTTP Rest API, you can pull necessary config from this API within your application which is written in other programming languages etc.,

1
votes

DockerFiles can be checked in with code say on Github. So anybody who has access to code can see the secrets( dbUser and dbPassword). Incase a repo becomes public accidentally secrets will also be exposed.

If using AWS ECS Env Variables only users having access to AWS infra can see the secrets. It also makes it easy to run in multiple environments.

And as Imran suggested you can always pull the config from some third party config manager before the process starts.