Aws-cdk: How to use only password of secret from RDS in ECS

Created on 6 Jan 2020  路  5Comments  路  Source: aws/aws-cdk

:question: General Issue

I wonder what's the proposed way to use the generated secret from an rds instance/cluster.

const database = new rds.DatabaseCluster(this, 'DatabaseCluster', {
            removalPolicy: RemovalPolicy.DESTROY,
            defaultDatabaseName: scope.getConfig(this, 'wordpressDbName'),
            masterUser: {
                username: 'wordpress',
            },
            instances: 1,
            engine: rds.DatabaseClusterEngine.AURORA,
            instanceProps: {
                instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.SMALL),
                vpc: vpc,
            }
        })

In ECS I would like to get only the password. All other information is known anyway.

WORDPRESS_DB_PASSWORD: ecs.Secret.fromSecretsManager(database.secret?.secretValueFromJson('password')),

but this does not work. Modifications inside the container should not be the solution.

Environment

  • CDK CLI Version: 1.19.0
  • Module Version: 1.19.0
@aws-cdaws-ecs @aws-cdaws-rds efformedium feature-request in-progress
Source
picture konstantinj
👍2

Most helpful comment

https://aws.amazon.com/about-aws/whats-new/2020/02/amazon-ecs-now-supports-aws-secrets-manager-version-and-json-keys/

picture konstantinj on 25 Feb 2020
👍3

All 5 comments

Sadly this is currently not possible without code modifications inside the conainter, see https://github.com/aws/containers-roadmap/issues/385

jogold picture jogold on 6 Jan 2020
👍2

Got a workaround:

const wordpressDbPasswordSecret = new Secret(this, 'wordpressDbPassword', {
            secretName: '/' + [this.account, this.stackName, 'wordpressDbPassword'].join('/'),
            generateSecretString: {
                passwordLength: 20,
            }
        })

        const database = new rds.DatabaseCluster(this, 'DatabaseCluster', {
            removalPolicy: RemovalPolicy.DESTROY,
            defaultDatabaseName: 'wordpress',
            masterUser: {
                username: 'wordpress',
                password: SecretValue.secretsManager(wordpressDbPasswordSecret.secretArn),
            },
            instances: 1,
            engine: rds.DatabaseClusterEngine.AURORA,
            instanceProps: {
                instanceType: ec2.InstanceType.of(ec2.InstanceClass.T3, ec2.InstanceSize.SMALL),
                vpc: vpc,
                vpcSubnets: {
                    subnetType: ec2.SubnetType.PRIVATE,
                },
            },
        })
konstantinj picture konstantinj on 7 Jan 2020

This indeed works but note that you won't be able to rotate your DB password using the rotation application with this workaround.

jogold picture jogold on 7 Jan 2020

https://aws.amazon.com/about-aws/whats-new/2020/02/amazon-ecs-now-supports-aws-secrets-manager-version-and-json-keys/

konstantinj picture konstantinj on 25 Feb 2020
👍3

Would be great to get the json key support for ECS secrets!

ogrodnek picture ogrodnek on 2 Apr 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

abelmokadem picture abelmokadem  路  3Comments
schof picture schof  路  3Comments
sudoforge picture sudoforge  路  3Comments
cybergoof picture cybergoof  路  3Comments
eladb picture eladb  路  3Comments