On AWS we often use the AWS Parameter Store, to store secrets safely. But accessing the secrets from an application running in ECS, is rather intrusive. You have to call the AWS SSM API either in the application or in the entrypoint script of the container. In this blog we show you how a simple utility allows you to specify the references to the secrets as environment variables. It even allows you to specify sensible defaults.
How does it work?
To use the utility, follow these two steps:
- include the executable in your container and make it your Container entrypoint
- Define environment variables with a URI using the ssm: protocol
Include the executable
To include the utility in your container and make it your entrypoint, add the following lines to your Dockerfile:
FROM docker.io/binxio/ssm-get-parameter:0.2.3 AS ssm
FROM alpine
COPY --from=ssm /ssm-get-parameter /usr/local/bin
ENTRYPOINT [ "/usr/local/bin/entrypoint" ]
Make sure to move the old entrypoint to the CMD of the container.
Define the environment variable
To retrieve the secrets into your container, define one or more environment variables with a URI using the ssm: protocol:
ENV PGPASSWORD=ssm:///postgres/root/password
If the parameters cannot be retrieved, the container will exit with an error. If you wish to continue, specify a default
parameter:
ENV PGPASSWORD=ssm:///postgres/root/password?default=postgres
This will allow to run the container outside of AWS. You can also write the content of the secret
to a file by specifying the destination
parameter.
ENV PRIVATE_KEY=ssm:///private-key?destination=/tmp/private-key
The value of the environment variable will be replaced with the name of the file, in this case /tmp/private-key
.
If the parameter cannot be retrieved and the destination file already exists, the contents of that file will
be used as the default value.
Finally, if you need the secret in a string, you can use the template
parameter:
ENV PGPASSFILE=ssm:///postgres/root/password?
template=localhost:5432:kong:kong:{{.}}%0a&
destination=$HOME/.pgpass&
default=postgres
Conclusion
With the ssm-get-parameter
utility you have an non-intrusive way of retrieving secrets from the parameter store and save them as environment variable values or in a file in your container. By using the default option, you can provide sensible defaults which allows you to run your container independent of AWS.
If you are looking for the same thing in Google Cloud Platform, read how to get secrets from the Google Secret Manager into your container.