Copilot-cli: How to specify `task run` environment from a manifest file?

Created on 28 Dec 2020  ·  8Comments  ·  Source: aws/copilot-cli

Even better, how to inject som SSM secrets on my task run?

I was under the assumption task run would be under the same environment (OS environment, for that matter) as my service, but it's not the case. env vars configured in my manifest.yml isn't showing up in my task run. So, where is the environment definition to it? I'm trying to validate my Service env using this method, so I may be wrong here.

Like, to copilot task run --follow --command printenv I get:

✔ Task my-app is running.

copilot-task/my-app/a048 PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
copilot-task/my-app/a048 HOSTNAME=ip-10-0-0-112.sa-east-1.compute.internal
copilot-task/my-app/a048 AWS_DEFAULT_REGION=sa-east-1
copilot-task/my-app/a048 AWS_EXECUTION_ENV=AWS_ECS_FARGATE
copilot-task/my-app/a048 AWS_REGION=sa-east-1
copilot-task/my-app/a048 [redacted]
copilot-task/my-app/a048 [redacted]
copilot-task/my-app/a048 LANG=C.UTF-8
copilot-task/my-app/a048 GPG_KEY=[redacted]
copilot-task/my-app/a048 PYTHON_VERSION=3.8.6
copilot-task/my-app/a048 PYTHON_PIP_VERSION=20.3.3
copilot-task/my-app/a048 PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/5f38681f7f5872e4032860b54e9cc11cf0374932/get-pip.py
copilot-task/my-app/a048 PYTHON_GET_PIP_SHA256=[redacted]
copilot-task/my-app/a048 HOME=/root
Task has stopped.

I can pass an ENV VAR with --env-vars and it works, but nothing from my SSM or manifest.yml.

Another way would be to connect via SSH to the ECS container, but it looks like a pain. Or print my ENV to my Service's log... well. There are other ways, anyways.

sizM typenhancement typrequest
Source
picture henrymazza

All 8 comments

Hello @henrymazza I think in order to inject SSM secrets to task run like what we have for the manifest (see here), we need a --secrets flag so that you could inject them by doing -- secrets GITHUB_WEBHOOK_SECRET=GH_WEBHOOK_SECRET --secrets FOO=BAR. Would this flag address your use case?

iamhopaul123 picture iamhopaul123 on 28 Dec 2020
👍1

Related to https://github.com/aws/copilot-cli/issues/1432#issuecomment-699147840

Another way would be to connect via SSH to the ECS container, but it looks like a pain.

The ECS team is working on https://github.com/aws/containers-roadmap/issues/187, whenever that gets released you should expect also an integration with Copilot :)

efekarakus picture efekarakus on 28 Dec 2020

Yeah! @iamhopaul123 ! That'd be great! Even better if I could use the =manifest.yml= of a service to do that. My intent here is to debug my container environment, or use the same environment to run thing like migrations (share database password). So anything that could share my task's environment with my service. SSH into the living container would be even better for debug purposes, so it worth the wait like @efekarakus pointed.

But perhaps i'm misunderstanding the purpose of these tools. Let me know if that's the case!

henrymazza picture henrymazza on 28 Dec 2020

Hi @henrymazza, if the intent is to debug the container environment then it would be better to use this feature that is pointed by @efekarakus, and Copilot will be one of the first tools to support the feature. Please stay tuned for it!

iamhopaul123 picture iamhopaul123 on 28 Dec 2020
👍1

Specifying a --service and getting it's injected env vars and secrets would be 👍

Use case for me would be getting access to outputs from an addon defined within the service

adaddeo picture adaddeo on 2 Jan 2021

@adaddeo You can do this currently by running [copilot svc show](https://aws.github.io/copilot-cli/docs/commands/svc-show/). show prints off a lot of metadata about the given service, including its injected environment variables and secrets for all environments the service is deployed to. If you've defined outputs in any addons stack, they will show up in the Variables section. There's also a Secrets section for Secrets Manager values, and a list of any routes at which the service is accessible.

bvtujo picture bvtujo on 6 Jan 2021

Thanks @bvtujo. To clarify I was suggest env vars and secrets would be injected into the task in the same way it's done for the service, (I later found this proposed here https://github.com/aws/copilot-cli/issues/1432). For now I'll use copilot svc show to manually grab them.

Also, not seeing secrets in the show yet. Is that in the 1.0 release?

adaddeo picture adaddeo on 6 Jan 2021

Hi @henrymazza @adaddeo, we have a proposal to support this feature in #2159 we would love to hear your feedback!

efekarakus picture efekarakus on 9 Apr 2021
👀1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

camilosantana picture camilosantana  ·  3Comments
srrengar picture srrengar  ·  3Comments
jaybauson picture jaybauson  ·  3Comments
sundarnarasiman picture sundarnarasiman  ·  3Comments
aidansteele picture aidansteele  ·  3Comments