dockerterraformamazon-ecsaws-fargateaws-parameter-store

Mount content from parameter store into AWS ECS container

I have some sensitive content into my AWS parameter store and I want to use it as described below.

I have a docker image which accepts a certificate as a docker run argument

docker run -v /path/to/certificate.pem/folder:/mnt/certs my-mapper-image:latest -certificate "/mnt/certs/certificate.pem"

I am able to run this command locally without any problems. This docker image though is the base of a container running on AWS ECS.

I am using terraform to define/deploy this ECS task so how can use the containerDefinitions json on the ECS task to:

  1. Source the certificate from the parameter store. This is already done on Terraform code
data "aws_ssm_parameter" "certificate" {
  name = "/path/to/certificate"
}
  1. Create a file on my running container
  2. Load the file with the sourced contents from the parameter store

I am confused with the different options like:

// EDIT

Hashicorp's Nomad has exactly what I need but unfortunately I do not use Nomad

template {
        data = <<EOF
{{ source from parameter store }}
EOF
        destination   = "secrets/certificate.pem"
      }
Solution

  • The only way to do this via SSM Parameter Store would be to have the startup command of your docker image be a script that downloads those files from SSM and stores them in the local ECS task's file system (the ephemeral Fargate task storage), before starting your main application.

    You could have ECS automatically inject the contents of the Secrets Manager secrets into environment variables in the ECS task. You would still have to have your startup script transfer the contents of those environment variables into files every time the container starts up.

    If you wanted to use AWS EFS instead, you could manually copy the files into EFS once, and then configure your ECS task to mount the EFS volume. Note, you can create the EFS volume via Terraform, and map it into the ECS container via Terraform, but Terraform has no access to the EFS volume itself, so Terraform can't copy the files to the EFS volume. You would have to spin up a temporary EC2 instance, mount the EFS volume on it, and then copy the files over via the EC2 instance.

    Further reading

    You also mentioned the following:

    • Docker volumes

    Not available in Fargate

    • Bind mounts

    Not available in Fargate

    • Fargate task storage

    Fargate task storage is basically a completely empty storage volume that your image gets loaded into before your container is started, and then gets deleted as soon as your container exits. It is not shared between containers, and it is not persisted.