Home > Software engineering >  How would I go about retreiving Vault keys to AWS ECS Task Definitions?
How would I go about retreiving Vault keys to AWS ECS Task Definitions?

Time:03-13

This is a dumb question but would appreciate any help on this topic.

I work with Hashicorp Vault which is hosted in AWS. I am trying to find a way to retrieve keys from Vault using AWS ECS's Task Definition; however, I do not see any information on this. You can use AWS Secrets Manager but we are not using this service.

Would it be best to use a CI/CD service (for example GitLab), retrieve the secrets from Vault, build the image and send to AWS ECS? OR, is there a way of implementing Vault onto AWS ECS?

Thanks for reading this post.

CodePudding user response:

The ECS integration with Secrets Manager happens at the time ECS is deploying your container. ECS will lookup those secrets, and inject them into the container as environment variables. ECS doesn't have any third-party secrets lookup support, it only supports AWS Secrets Manager and AWS Parameter Store.

Baking secrets into the images at build time seems very wrong. It would lock your images to a specific environment, and force you to create new images each time a secret changes. It also means your docker image now needs to be stored somewhere that is just as secure as your HashiCorp Vault server.

The recommended method for integrating HashiCorp Vault with AWS ECS is to add a sidecar container to your ECS task definition, that looks up the secrets in the Vault at task startup, and makes those secrets available to your other containers in the task. This is documented here.

However, in that official solution, they are using a shared EFS volume for some reason. That seems extremely wrong to me, as it means multiple instances of your ECS task would be stepping on each other writing to the same EFS volume, and there's no need for those secrets to be written to a persistent volume outside of the containers anyway. I would modify that solution to simply write the Vault secrets to a ephemeral volume shared between the containers in the ECS task.


Alternatively, just modify the startup script in your docker image, to first connect to your Vault to download the secrets and make them available in the container, before starting your application.

  • Related