aws
[ECS] [parameter get all keys by path]: secrets from parameter store just provide a path
In ECS and the task definition I use secrets stored in parameter store like:
"secrets":[
{
"valueFrom":"arn:aws:ssm:us-west-1:XXXXXXXXXXX:parameter/WEB_APP/DB_PASSWORD",
"name":"DB_PASSWORD"
},
{
"valueFrom": "arn:aws:ssm:us-west-1:XXXXXXXXXXX:parameter/WEB_APP/DB_USERNAME",
"name": "DB_USERNAME"
},
{
"valueFrom": "arn:aws:ssm:us-west-1:XXXXXXXXXXX:parameter/WEB_APP/DB_HOST",
"name": "DB_HOST"
},
...
]
We have lots of secrets, so defining all them in the task definition JSON becomes tedious and very error prone. Instead, I should just be able to define a path and ECS should pull down all keys in that path from parameter store and use them.
Example of how that could look:
"secrets":[
{
"valueFrom":"arn:aws:ssm:us-west-1:XXXXXXXXXXX:parameter/WEB_APP/*"
}
]
Yes! Please! We are avoiding using the secrets[].valueFrom thing basically for lack of this feature. Engineers have pushed back that the list of parameters here effectively represents a second source of truth. Instead we rely on an entrypoint script that does the get-parameters-by-path thing.
However, the entrypoint script brings with it a limitation that many of us would like to ditch.
Any update on this? Allowing wildcard pulling of a path from parameter store would be a huge win in our Terraform.
I just noticed that this seems very similar to issue #246. In that issue, the reporter mentions a tool called ssm-parent. I haven't tried it, but that may help some people.
We are facing the same issue. would love to see this for our fargate containers and greatly reduces our ops complexity
