secrets

As you might have already used these, docker-compose allows you to define secrets to use for the application.

To help continue with docker-compose syntax compatibility, you can now declare your secret in docker-compose, and add an extension field which will be a direct mapping to the secret name you have in AWS Secrets Manager.

ECS ComposeX will automatically add IAM permissions to the execution role of your Task definition and will export the secret to your container, using the same name as in the compose file.

Hint

For security purposes, the containers envoy and xray-daemon are not getting assigned the secrets.

Syntax

x-secrets:
  Name: str
  LinksTo: []
  JsonKeys: []
  Lookup: {}

Name

Type: String

The name of the secret in secrets manager to use and import.

Hint

If you want to put the full ARN, you can. There will be a validation for it.

LinksTo

Type: List of Strings

AllowedValues:

  • EcsExecutionRole

  • EcsTaskRole

If you believe that your service application should have access to the secret via Task Role, simply add to the secret definition as follows:

secret-name:
  x-secrets:
    Name: String
    LinksTo:
      - EcsExecutionRole
      - EcsTaskRole

Warning

If you do not specify EcsExecutionRole when specifying LinksTo then you will not get the secret exposed to your container via AWS ECS Secrets property of your Container Definition

JsonKeys

Type: List of objects/dicts

Note

Only Fargate 1.4.0+ Platform Version supports secrets JSON Key

JsonKeys objects structure
SecretKey: str
VarName: str
Transform: str

SecretKey

Name of the JSON Key in your secret.

VarName

The Name of the secret specifically for the secret JSON key

Transform

When you want to transform the original secret key into something else, here are simple transforms.

java_properties

Take a string and replaces all letters to their uppercase version and replaces . with _

title

Set to uppercase the first letter of every word. some.properties becomes Some.Properties

capitalize

Changes all letters from lower case to uppercase but does not change anything else.

Examples

Short example
secrets:
  topsecret_info:
    x-secrets:
      Name: /path/to/my/secret

services:
  serviceA:
    secrets:
      - topsecret_info
Secret with assignment to Task and Execution Role
secrets:
  abcd: {}
  john:
    x-secrets:
      LinksTo:
        - EcsExecutionRole
        - EcsTaskRole
      Name: SFTP/asl-cscs-files-dev
Secret Looked up from Tags and Name, also using JsonKeys
secrets:
  zyx:
    x-secrets:
      Name: secret/with/kmskey
      Lookup:
        Tags:
          - costcentre: lambda
          - composexdev: "yes"
      JsonKeys:
        - Key: username
          Name: PSQL_USERNAME
        - Key: password
          Name: PSQL_PASSWORD
Secret with assignment to Task and Execution Role
secrets:
  abcd: {}
  john:
    x-secrets:
      LinksTo:
        - EcsExecutionRole
        - EcsTaskRole
      Name: arn:aws:secretsmanager:eu-west-1:123456789012:secret:/secret/abcd