Docker container secrets on AWS ECS

Original post can be found at Xebia

Almost every application needs some kind of a secret or secrets to do it’s work. There are all kind of ways to provide this to the containers but it all comes down to the following five:

  1. Save the secrets inside the image
  2. Provide the secrets trough ENV variables
  3. Provide the secrets trough volume mounts
  4. Use a secrets encryption file
  5. Use a secrets store

For a complete description and an explanation please see the following post

Depending on your context all five options might work or are considered good enough. In my opinion to do it right and be safe, flexibel and in control you can only go for option 5 “Secrets store”. Choosing this method it leaves you with different ways to accomplish this. As stated in the post above it comes down to this:

  1. Use some form of S3, with or without encryption. For more info see
  2. HashiCorp Vault

AWS has released a service called Parameter Store, although it is not as sophisticated as Vault it serves a purpose. If you are starting or want to keep things simpel please try using the Parameter Store.  But if you need full control and want more flexibility then go ahead and use Vault.

###Parameter Store

Parameter Store allows you to store key value data in a key value store with the values encrypted using KMS. Because Parameter Store uses IAM it is a great fit for AWS ECS because you can control the access to the secrets per container.

I could explain how to do this but luckily AWS has a great post on how this should be done, you can find it here

The blog post is great but I am not really impressed with the run.sh script in which I am replacing the secrets and fetching them with aws cli. There has to be a better and cleaner way….

I really thought so but we could not find any, so we chose to create one.

###Dockerfy

Without trying to invent the wheel again we took the simpel but useful app “dockerfy” and extended it. More information on Dockerfy can be found here. Dockerfy already handles ENV’s and secret files, and it uses templating for simpel usage of secrets.

Sadly it did not have a AWS Parameter Store integration but we took care of that, as you can see in this PR

You can use the Parameter Store and combine it with Dockerfy features to add your secrets using a template but if you need a simpel command-line secret, here is an example.

Dockerfile:

FROM socialcode/nginx-with-dockerfy
ENTRYPOINT [ "dockerfy", "--aws-secret-prefix", "PROD_" -- ]
CMD [ "/bin/echo", "" ]

To use the above Docker container, store a password in the Parameter Store called “PROD_db_password”. Then provide the AWS keys or run it on an EC2 instance or an ECS service with proper IAM rights and see the secret being echoed.