Bobcares

Pass Sensitive Information Securely to Containers in ECS Task

by | Aug 21, 2021

It is always the best practice to Pass Sensitive Information Securely to Containers in ECS Task.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how we can securely pass information.

 

Pass Sensitive Information Securely to Containers in ECS Task

We can all agree that passing sensitive data in plaintext can cause security issues. Hence it is a security best practice to pass them as environment variables.

To do so, we can reference values stored in AWS Systems Manager Parameter Store or AWS Secrets Manager in the container definition of an Amazon ECS task definition.

Then, we can expose the sensitive information as environment variables or in the log configuration of a container.

 

How to do this?

Moving ahead, let us see how our Support Techs perform this task for our customers.

  • Prerequisites

1. Initially, we need to store sensitive information in either AWS Systems Manager Parameter Store or Secrets Manager.

For AWS Systems Manager Parameter Store, we run:

aws ssm put-parameter --type SecureString --name awsExampleParameter --value awsExampleValue

For Secrets Manager, we run:

aws secretsmanager create-secret --name awsExampleParameter --secret-string awsExampleValue

2. After that, we open the IAM console and create a role with a trust relation for ecs-tasks.amazonaws.com.

For example:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

3. Then we need to create an inline policy for the role in the IAM console.

To do so, we select Roles, then the role that we created in the previous step, and then select Add inline policy on the Permissions tab.

We then select the JSON tab, and then create a policy with the following code:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:ssm:us-east-1:awsExampleAccountID:parameter/awsExampleParameter",
"arn:aws:secretsmanager:us-east-1:awsExampleAccountID:secret:awsExampleParameter*"
]
}
]
}

4. If necessary, we attach the managed policy AmazonECSTaskExecutionRolePolicy to the role in step 2.

  • Reference sensitive information in the ECS task definition

From the AWS Management Console:

1. First, we open the Amazon ECS console.

2. Then we select Task Definitions > Create new Task Definition.

3. Next, we select the launch type > Next step.

4. For Task execution role, we select the task execution IAM role that we created earlier.

5. In the Container Definitions section, we select Add container.

6. Then in the Environment variables section under ENVIRONMENT, for Key, we enter a key for the environment variable.

7. On the Value dropdown list, we select ValueFrom.

8. In the text box for the key, we enter the Amazon Resource Name of the Parameter Store or Secrets Manager resource.

From the AWS Command Line Interface (AWS CLI):

1. We need to reference AWS Systems Manager Parameter Store or Secrets Manager resources in the task definition as environment variables using the secrets section or as log configuration options using the secretOptions section.

For example:

{
"requiresCompatibilities": [
"EC2"
],
"networkMode": "awsvpc",
"containerDefinitions": [
{
"name": "web",
"image": "httpd",
"memory": 128,
"essential": true,
"portMappings": [
{
"containerPort": 80,
"protocol": "tcp"
}
],
"logConfiguration": {
"logDriver": "splunk",
"options": {
"splunk-url": "https://sample.splunk.com:8080"
},
"secretOptions": [
{
"name": "splunk-token",
"valueFrom": "arn:aws:secretsmanager:us-east-1:awsExampleAccountID:secret:awsExampleParameter"
}
]
},
"secrets": [
{
"name": "DATABASE_PASSWORD",
"valueFrom": "arn:aws:ssm:us-east-1:awsExampleAccountID:parameter/awsExampleParameter"
}
]
}
],
"executionRoleArn": "arn:aws:iam::awsExampleAccountID:role/awsExampleRoleName"
}

2. Then to register the task definition, we run:

aws ecs register-task-definition --family-name yourTaskDefinitionFamily --cli-input-json file://pathToYourJsonFile

Once done, the Amazon ECS container agent automatically resolves the secrets and injects the values as environment variables into the container.

We update the service and use the Force new deployment option to force the service to launch a fresh task if the task is part of a service.

To force a new deployment:

1. We open the Amazon ECS console.

2. Then we select Clusters, then the cluster with the service.

3. We select the Force New Deployment check box, and then select Update Service.

In addition, we can force a new deployment from the AWS CLI.

To do so, we run the update-service command with the –force-new-deployment flag.

[Need help with the process? We are available 24*7]

 

Conclusion

In short, we saw how our Support Techs pass sensitive information securely.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.