Is it possible to inject secrets into environment variables when building ECS containers using SecretString from SSM?
I would like to do something like:
taskDefinition.addContainer(`${id}-etcd`, {
image: ContainerImage.fromRegistry(ecrRegistry),
containerName: 'container-name',
secrets: {
ENV_VAR_NAME: new SecretStringFromSSM('param-name'),
},
}
Tried with secrets manager:
When using the secrets property:
import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
secrets: {
ENV_VAR_NAME: new Secret(this, `param-name`, {}),
},
I get an error with:
Property 'arn' is missing in type 'import("/Users/<user>/<project>/node_modules/aws-cdk-lib/aws-secretsmanager/lib/secret").Secret' but required in type 'import("/Users/<user>/<project>/node_modules/aws-cdk-lib/aws-ecs/lib/container-definition").Secret'.ts(2741)
Tried with different from... methods from the Secret:
import { Secret } from 'aws-cdk-lib/aws-secretsmanager';
secrets: {
ENV_VAR_NAME: Secret.fromSecretCompleteArn(
this,
`param-name`,
'arn:aws:secretsmanager:<region>:<account>:secret:<secret-name>',
),
},
But, as this class implements ISecret it is missing the arn property.
Property 'arn' is missing in type 'ISecret' but required in type 'Secret'.
You're confusing the Secret construct from the aws-secretsmanager module and the Secret class from the aws-ecs module.
The secrets prop in a container definition expects the latter, while you're passing the former. You need to construct the latter yourself using its fromSecretsManager method:
import * as secretsmanager from '@aws-cdk-lib/aws-secrets-manager';
import * as ecs from '@aws-cdk-lib/aws-ecs';
const mySecret = secretsmanager.Secret.fromSecretCompleteArn(
this,
`MySecret`,
'arn:aws:secretsmanager:<region>:<account>:secret:<secret-name>',
);
...
secrets: {
ENV_VAR_NAME: ecs.Secret.fromSecretsManager(mySecret);
},
...