Retrieve Systems Manager Parameter Store secrets programmatically in Amazon ECS
Systems Manager Parameter Store provides secure storage and management of secrets. You can store data such as passwords, database strings, EC2 instance IDs and AMI IDs, and license codes as parameter values, instead of hardcoding this information in your application. You can store values as plain text or encrypted data.
We recommend this method of retrieving sensitive data because if the Systems Manager Parameter Store parameter is subsequently updated, the application automatically retrieves the latest version.
Review the following considerations before securing sensitive data in Systems Manager Parameter Store.
-
Only secrets that store text data are supported. Secrets that store binary data are not supported.
-
Use interface VPC endpoints to enhance security controls.
-
The VPC your task uses must use DNS resolution.
-
For tasks that use the EC2 launch type, you must use the Amazon ECS agent configuration variable
ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE=true
to use this feature. You can add it to the/etc/ecs/ecs.config
file during container instance creation or you can add it to an existing instance and then restart the ECS agent. For more information, see Amazon ECS container agent configuration. -
Your task definition must use a task execution role with the additional permissions for Secrets Manager. For more information, see Amazon ECS task execution IAM role.
Create the parameter
You can use the Systems Manager console to create a Systems Manager Parameter Store parameter for your sensitive data. For more information, see Create a Systems Manager parameter (console) or Create a Systems Manager parameter (Amazon CLI) in the Amazon Systems Manager User Guide.
Add the environment variable to the container definition
Within your container definition, specify secrets
with the name of the
environment variable to set in the container and the full ARN of the Systems Manager
Parameter Store parameter containing the sensitive data to present to the
container. For more information, see secrets.
The following is a snippet of a task definition showing the format when referencing a Systems Manager Parameter Store parameter. If the Systems Manager Parameter Store parameter exists in the same Region as the task you are launching, then you can use either the full ARN or name of the parameter. If the parameter exists in a different Region, then specify the full ARN.
{ "containerDefinitions": [{ "secrets": [{ "name": "
environment_variable_name
", "valueFrom": "arn:aws:ssm:region
:aws_account_id
:parameter/parameter_name
" }] }] }
For information about how to create a task definition with the secret specified in an environment variable, see Creating an Amazon ECS task definition using the console.
Update your application to programmatically retrieve Systems Manager Parameter Store secrets
To retrieve the sensitive data stored in the Systems Manager Parameter Store parameter, see Code examples for Systems Manager using Amazon SDKs in the Amazon SDK Code Examples Code Library.