I have an AWS Batch Job definition where I'm using specific secrets from AWS Secrets Manager. As you can see in the example below, I'm manually specifying each secret by its name.
However, I would like to know if there is a way to reference all secrets within a specific Secrets Manager store (or an entire set of secrets) dynamically, so that when a new secret is added to the store, my AWS Batch Job will automatically be able to access it, without needing to update the job definition manually.
Here’s my current CloudFormation code for the AWS Batch Job definition:
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
ENVIRONMENT:
Description: The environment for the resources
Type: String
Default: development
APISECRETS:
Type: String
Default: 'arn:aws:secretsmanager:***'
Resources:
JobDefinitionTests:
Type: 'AWS::Batch::JobDefinition'
Properties:
Type: container
JobDefinitionName: !Sub 'test-${ENVIRONMENT}'
PlatformCapabilities:
- FARGATE
RetryStrategy:
Attempts: 3
EvaluateOnExit:
- OnExitCode: "1"
Action: EXIT
Timeout:
AttemptDurationSeconds: 14400
ContainerProperties:
Image: !ImportValue
'Fn::Sub': '${ENVIRONMENT}-TestWorkerImageURI'
ResourceRequirements:
- Type: VCPU
Value: '1'
- Type: MEMORY
Value: '2048'
Command:
- python
- run_sample_script.py
- '--task_id'
- Ref::TASK_ID
Secrets:
- Name: !Sub 'ADMIN_EMAILS'
ValueFrom: !Sub '${APISECRETS}:ADMIN_EMAILS::'
- Name: !Sub 'EMAIL_HOST_PASSWORD'
ValueFrom: !Sub '${APISECRETS}:EMAIL_HOST_PASSWORD::'
- Name: !Sub 'EMAIL_HOST_USER'
ValueFrom: !Sub '${APISECRETS}:EMAIL_HOST_USER::'
JobRoleArn: !GetAtt SflabWorkerRole.Arn
ExecutionRoleArn: !GetAtt SflabWorkerRole.Arn
LogConfiguration:
LogDriver: awslogs
NetworkConfiguration:
AssignPublicIp: 'ENABLED'
I cannot find any information in AWS documentation about that so I wanted to ask if maybe someone found a way to solve this issue or it is currently not possible to dynamically reference secrets in AWS Job Definition
That CloudFormation construct is to provide environment variables key/value pairs that you can take advantage of in your application without giving the application a job role that has access to Secrets Manager.
If you want dynamic access to secrets (which is not something that I would recommend - but since you are asking) you should add a profile to the Batch job role that allows access to subset of entries in Secrets Manager that you want to give to an application. Here is an example policy that leverages tags for access: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access-abac.html#tag-secrets-abac
Again - I do not recommend dynamic access to secrets. That's just a security incident waiting to happen. But since you asked, adding access to a tagged set of secrets via the job role is an not-terrible compromise.
Note that your application would need to leverage the Secrets Manager API (via SDK, CLI, etc) to get the secrets, instead of relying on Batch to place them into environment variables.