Retrieving and caching secrets in ECS tasks
TypeScriptRetrieving and caching secrets within ECS tasks generally involves using AWS Secrets Manager or AWS Systems Manager Parameter Store to securely store the secrets, and then fetching these secrets at runtime within the ECS task. The secrets can be passed to the containers as environment variables or as part of the container definition within a task definition.
In this example, we will use Pulumi to define an AWS ECS task definition where the secrets are retrieved from AWS Secrets Manager and passed to the container as environment variables. We will use the
awsx.ecs.FargateService
resource from theawsx
package which is a higher-level abstraction that simplifies working with Amazon ECS.import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; import * as awsx from "@pulumi/awsx"; // Creates an ECS cluster to deploy the Fargate service const cluster = new aws.ecs.Cluster("app-cluster"); // Assume you have a pre-existing secret in AWS Secrets Manager. const mySecret = aws.secretsmanager.getSecret({ name: "MySecret", }); // Define the ECS Fargate service and task with the secret environment variable. const appService = new awsx.ecs.FargateService("app-service", { cluster: cluster.arn, taskDefinitionArgs: { containers: { app: { image: "my-app-image", // Replace with your app's Docker image memory: 512, cpu: 256, environment: [ // Static environment variables { name: "STAGE", value: "production" }, ], secrets: [ // This will inject the secret into the environment variable { name: "DB_PASSWORD", // Name used inside the container valueFrom: mySecret.arn, // ARN of the AWS Secrets Manager secret }, ], }, }, }, }); // Export the URL of the service export const url = appService.endpoint.hostname;
Explanation:
- We start by importing the necessary Pulumi libraries for AWS and AWSX (
@pulumi/pulumi
,@pulumi/aws
, and@pulumi/awsx
). - We create an ECS cluster where our service will be deployed using
new aws.ecs.Cluster
. - We then retrieve the desired secret from AWS Secrets Manager using
aws.secretsmanager.getSecret
. This would be a secret that you've previously set up in Secrets Manager, which contains sensitive information like a database password. - Next, we define our ECS Fargate service with
new awsx.ecs.FargateService
. Inside the service definition, we specify task configurations, such as the Docker image, CPU and memory requirements, and environment variables. - We pass the secret to our container under the
secrets
array by setting thename
, used as the environment variable inside the container, andvalueFrom
which points to the ARN of the Secrets Manager secret. - The secret is not exposed in your codebase or Pulumi state file—it is safely managed by AWS Secrets Manager. At runtime, ECS will retrieve the secret value and set it as an environment variable inside the container.
- Finally, we export the
url
of the Fargate service so you can access the application.
By using this approach, your application's sensitive information is managed securely, and your infrastructure remains declarative and easy to track with Pulumi.
- We start by importing the necessary Pulumi libraries for AWS and AWSX (