fargatecli icon indicating copy to clipboard operation
fargatecli copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Any plans for adding support for AWS Secrets now supported in Fargate platform version 1.3

Open jeberly opened this issue 5 years ago • 5 comments

Just curious if there are any plans to support this or best approach to consume them. Eg. just edit Task Definition.

https://aws.amazon.com/about-aws/whats-new/2018/12/aws-fargate-platform-version-1-3-adds-secrets-support/

Thanks!

jeberly avatar Mar 22 '19 00:03 jeberly

Just created a related issue https://github.com/jpignata/fargate/issues/93. Currently if you use fargate cli and issue a service deploy it deletes any secrets previous defined in a task definition. This is a blocker for us until it get resolved.

nodesocket avatar Jun 07 '19 05:06 nodesocket

@jpignata @jeberly @holyjak @billdavidson4 I am willing to open a paid bounty for this feature as we require it. Essentially seems like existing secrets from the secrets array need to be copied from the previous task definition as well as adding the following to the requiresAttributes array in the task definition.

{
      "targetId": null,
      "targetType": null,
      "value": null,
      "name": "ecs.capability.secrets.ssm.environment-variables"
}

nodesocket avatar Jun 09 '19 20:06 nodesocket

@nodesocket just fyi, that our fork has support for secrets in service deploy as well as env set.

curl -s get-fargate.turnerlabs.io | sh

jritsema avatar Jun 10 '19 13:06 jritsema

@jritsema wow, how did I not come across your fork before? This looks awesome. Looks like the deploy command is slightly different.

Current:

fargate --region "$AWS_REGION" --cluster "$ECS_CLUSTER_NAME" service deploy "$ECS_SERVICE_NAME" --image "$ECR_REPO/$NAME:$GIT_HASH"

Your fork:

fargate --region "$AWS_REGION" --cluster "$ECS_CLUSTER_NAME" --service "$ECS_SERVICE_NAME" service deploy --image "$ECR_REPO/$NAME:$GIT_HASH"

I will give your fork a try today.

nodesocket avatar Jun 10 '19 18:06 nodesocket

Yes, it is slightly different. The reason we moved the service argument is so you can maintain a fargate.yml file (or $FARGATE_X envvars) and not have to specify the cluster, service, task, etc. for each command.

cluster: my-cluster
service: my-service
task: my-task-family
rule: my-cloudwatch-event-rule

export AWS_DEFAULT_REGION=us-east-1
fargate service deploy --image "$ECR_REPO/$NAME:$GIT_HASH"
fargate service env set --secret PASSWORD=xyz
fargate service info
fargate service logs

jritsema avatar Jun 10 '19 18:06 jritsema