Pass Systems Manager Parameter Store secrets programmatically in Amazon ECS
Systems Manager Parameter Store provides secure storage and management of secrets. You can store data such as passwords, database strings, EC2 instance IDs and AMI IDs, and license codes as parameter values, instead of hardcoding this information in your application. You can store values as plain text or encrypted data.
We recommend this method of retrieving sensitive data because if the Systems Manager Parameter Store parameter is subsequently updated, the application automatically retrieves the latest version.
Review the following considerations before securing sensitive data in Systems Manager Parameter Store.
-
Only secrets that store text data are supported. Secrets that store binary data are not supported.
-
Use interface VPC endpoints to enhance security controls.
-
The VPC your task uses must use DNS resolution.
-
For tasks that use the EC2 launch type, you must use the Amazon ECS agent configuration variable
ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE=trueto use this feature. You can add it to the/etc/ecs/ecs.configfile during container instance creation or you can add it to an existing instance and then restart the ECS agent. For more information, see Amazon ECS container agent configuration. -
Your task definition must use a task role with the additional permissions for Systems Manager Parameter Store. For more information, see Amazon ECS task IAM role.
Create the parameter
You can use the Systems Manager console to create a Systems Manager Parameter Store parameter for your sensitive data. For more information, see Create a Systems Manager parameter (console) or Create a Systems Manager parameter (Amazon CLI) in the Amazon Systems Manager User Guide.
Update your application to programmatically retrieve Systems Manager Parameter Store secrets
To retrieve the sensitive data stored in the Systems Manager Parameter Store parameter, see Code examples for Systems Manager using Amazon SDKs in the Amazon SDK Code Examples Code Library.