How to get secrets from the AWS Parameter Store into containers in ECS

On AWS we often use the AWS Parameter Store, to store secrets safely. But accessing the secrets from an application running in ECS, is rather intrusive. You have to call the AWS SSM API either in the application or in the entrypoint script of the container. In this blog we show you how a simple utility allows you to specify the references to the secrets as environment variables. It even allows you to specify sensible defaults.

How does it work?

To use the utility, follow these two steps:

1. include the executable in your container and make it your Container entrypoint
2. Define environment variables with a URI using the ssm: protocol

Include the executable

To include the utility in your container and make it your entrypoint, add the following lines to your Dockerfile:

FROM docker.io/binxio/ssm-get-parameter:0.2.3 AS ssm

FROM alpine
COPY --from=ssm /ssm-get-parameter  /usr/local/bin
ENTRYPOINT [ "/usr/local/bin/entrypoint" ]

Make sure to move the old entrypoint to the CMD of the container.

Define the environment variable

To retrieve the secrets into your container, define one or more environment variables with a URI using the ssm: protocol:

ENV PGPASSWORD=ssm:///postgres/root/password

If the parameters cannot be retrieved, the container will exit with an error. If you wish to continue, specify a default parameter:

ENV PGPASSWORD=ssm:///postgres/root/password?default=postgres

This will allow to run the container outside of AWS. You can also write the content of the secret to a file by specifying the destination parameter.

ENV PRIVATE_KEY=ssm:///private-key?destination=/tmp/private-key

The value of the environment variable will be replaced with the name of the file, in this case /tmp/private-key. If the parameter cannot be retrieved and the destination file already exists, the contents of that file will be used as the default value. Finally, if you need the secret in a string, you can use the template parameter:

ENV PGPASSFILE=ssm:///postgres/root/password?
template=localhost:5432:kong:kong:{{.}}%0a&
destination=$HOME/.pgpass&
default=postgres

Conclusion

With the ssm-get-parameter utility you have an non-intrusive way of retrieving secrets from the parameter store and save them as environment variable values or in a file in your container. By using the default option, you can provide sensible defaults which allows you to run your container independent of AWS. If you are looking for the same thing in Google Cloud Platform, read how to get secrets from the Google Secret Manager into your container.