Containers-roadmap: [ECS] [parameter get all keys by path]: secrets from parameter store just provide a path

Created on 16 Oct 2019  路  5Comments  路  Source: aws/containers-roadmap

In ECS and the task definition I use secrets stored in parameter store like:

"secrets":[
      {
         "valueFrom":"arn:aws:ssm:us-west-1:XXXXXXXXXXX:parameter/WEB_APP/DB_PASSWORD",
         "name":"DB_PASSWORD"
      },
      {
        "valueFrom": "arn:aws:ssm:us-west-1:XXXXXXXXXXX:parameter/WEB_APP/DB_USERNAME",
        "name": "DB_USERNAME"
      },
      {
        "valueFrom": "arn:aws:ssm:us-west-1:XXXXXXXXXXX:parameter/WEB_APP/DB_HOST",
        "name": "DB_HOST"
      },
     ...
]
````

We have lots of secrets, so defining all them in the task definition JSON becomes tedious and very error prone. Instead, I should just be able to define a **path** and ECS should pull down all keys in that path from parameter store and use them.

Example of how that could look:

"secrets":[
{
"valueFrom":"arn:aws:ssm:us-west-1:XXXXXXXXXXX:parameter/WEB_APP/*"
}
]
````

ECS Proposed
Source
picture nodesocket
👍13

Most helpful comment

This would be very helpful for making more generic terraform modules.

picture vegardx on 22 Nov 2019
👍3

All 5 comments

This would be very helpful for making more generic terraform modules.

vegardx picture vegardx on 22 Nov 2019
👍3

Yes! Please! We are avoiding using the secrets[].valueFrom thing basically for lack of this feature. Engineers have pushed back that the list of parameters here effectively represents a second source of truth. Instead we rely on an entrypoint script that does the get-parameters-by-path thing.

However, the entrypoint script brings with it a limitation that many of us would like to ditch.

dayer4b picture dayer4b on 5 Jun 2020

Any update on this? Allowing wildcard pulling of a path from parameter store would be a huge win in our Terraform.

nodesocket picture nodesocket on 28 Jul 2020
👍1

I just noticed that this seems very similar to issue #246. In that issue, the reporter mentions a tool called ssm-parent. I haven't tried it, but that may help some people.

dayer4b picture dayer4b on 22 Dec 2020

We are facing the same issue.
would love to see this for our fargate containers and greatly reduces our ops complexity

anagarjunr picture anagarjunr on 25 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

abby-fuller picture abby-fuller  路  3Comments
mineiro picture mineiro  路  3Comments
pauldougan picture pauldougan  路  3Comments
ORESoftware picture ORESoftware  路  3Comments
tabern picture tabern  路  3Comments