This is the new *Amazon CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [Amazon CloudFormation User Guide](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::ECS::Service Secret An object representing the secret to expose to your container. Secrets can be exposed to a container in the following ways: + To inject sensitive data into your containers as environment variables, use the `secrets` container definition parameter. + To reference sensitive information in the log configuration of a container, use the `secretOptions` container definition parameter. For more information, see [Specifying sensitive data](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/specifying-sensitive-data.html) in the *Amazon Elastic Container Service Developer Guide*. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[Name](#cfn-ecs-service-secret-name)" : String, "[ValueFrom](#cfn-ecs-service-secret-valuefrom)" : String } ``` ### YAML ``` [Name](#cfn-ecs-service-secret-name): String [ValueFrom](#cfn-ecs-service-secret-valuefrom): String ``` ## Properties `Name` The name of the secret. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ValueFrom` The secret to expose to the container. The supported values are either the full ARN of the Amazon Secrets Manager secret or the full ARN of the parameter in the SSM Parameter Store. For information about the require Amazon Identity and Access Management permissions, see [Required IAM permissions for Amazon ECS secrets](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/specifying-sensitive-data-secrets.html#secrets-iam) (for Secrets Manager) or [Required IAM permissions for Amazon ECS secrets](https://docs.amazonaws.cn/AmazonECS/latest/developerguide/specifying-sensitive-data-parameters.html) (for Systems Manager Parameter store) in the *Amazon Elastic Container Service Developer Guide*. If the SSM Parameter Store parameter exists in the same Region as the task you're launching, then you can use either the full ARN or name of the parameter. If the parameter exists in a different Region, then the full ARN must be specified. *Required*: Yes *Type*: String *Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Examples ### Specifying a secret in a service The following example specifies a secret for the service. #### JSON ``` { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "ECSTaskDefinition": { "Type": "AWS::ECS::TaskDefinition", "Properties": { "ContainerDefinitions": [ { "Essential": true, "Image": "amazon/amazon-ecs-sample", "Name": "example" } ], "ExecutionRoleArn": "arn:aws:iam::aws_account_id:role/ecsTaskExecutionRole", "Family": "task-definition-cfn", "Secrets": { "Name": "TestKey", "ValueFrom": 'arn:aws:secretsmanager:region:aws_account_id:secret:secret-name' } } } } } ``` #### YAML ``` AWSTemplateFormatVersion: 2010-09-09 Resources: ECSTaskDefinition: Type: 'AWS::ECS::TaskDefinition' Properties: ContainerDefinitions: Essential: true Image: 'amazon/amazon-ecs-sample' Name: example ExecutionRoleArn: 'arn:aws:iam::aws_account_id:role/ecsTaskExecutionRole' Family: task-definition-cfn Secrets: Name: TestKey ValueFrom:'arn:aws:secretsmanager:region:aws_account_id:secret:secret-name' ``` ## See also + [Associate an Application Load Balancer with a service](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#aws-resource-ecs-service--examples--Associate_an_Application_Load_Balancer_with_a_service)