secrets¶
As you might have already used these, docker-compose allows you to define secrets to use for the application.
To help continue with docker-compose syntax compatibility, you can now declare your secret in docker-compose, and add an extension field which will be a direct mapping to the secret name you have in AWS Secrets Manager.
ECS ComposeX will automatically add IAM permissions to the execution role of your Task definition and will export the secret to your container, using the same name as in the compose file.
See also
Hint
For security purposes, the containers envoy and xray-daemon are not getting assigned the secrets.
Syntax¶
x-secrets:
Name: str
LinksTo: []
JsonKeys: []
Lookup: {}
Name¶
Type: String
The name of the secret in secrets manager to use and import.
Hint
If you want to put the full ARN, you can. There will be a validation for it.
LinksTo¶
Type: List of Strings
AllowedValues:
EcsExecutionRole
EcsTaskRole
If you believe that your service application should have access to the secret via Task Role, simply add to the secret definition as follows:
secret-name:
x-secrets:
Name: String
LinksTo:
- EcsExecutionRole
- EcsTaskRole
Warning
If you do not specify EcsExecutionRole when specifying LinksTo then you will not get the secret exposed to your container via AWS ECS Secrets property of your Container Definition
JsonKeys¶
Type: List of objects/dicts
Note
Only Fargate 1.4.0+ Platform Version supports secrets JSON Key
SecretKey: str
VarName: str
Transform: str
SecretKey¶
Name of the JSON Key in your secret.
VarName¶
The Name of the secret specifically for the secret JSON key
Transform¶
When you want to transform the original secret key into something else, here are simple transforms.
java_properties¶
Take a string and replaces all letters to their uppercase version and replaces . with _
title¶
Set to uppercase the first letter of every word. some.properties becomes Some.Properties
capitalize¶
Changes all letters from lower case to uppercase but does not change anything else.
Examples¶
secrets:
topsecret_info:
x-secrets:
Name: /path/to/my/secret
services:
serviceA:
secrets:
- topsecret_info
secrets:
abcd: {}
john:
x-secrets:
LinksTo:
- EcsExecutionRole
- EcsTaskRole
Name: SFTP/asl-cscs-files-dev
secrets:
zyx:
x-secrets:
Name: secret/with/kmskey
Lookup:
Tags:
- costcentre: lambda
- composexdev: "yes"
JsonKeys:
- SecretKey: username
VarName: PSQL_USERNAME
- SecretKey: password
VarName: PSQL_PASSWORD
secrets:
abcd: {}
john:
x-secrets:
LinksTo:
- EcsExecutionRole
- EcsTaskRole
Name: arn:aws:secretsmanager:eu-west-1:123456789012:secret:/secret/abcd