brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-15 08:14:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(aws/ecs): populate environment variables from secret manager secrets

Browse Source
This commit is contained in:
Michele Cereda
2025-11-21 23:05:00 +01:00
parent 2165853277
commit febb2695f8
3 changed files with 277 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
knowledge base/cloud computing/aws/ecs.md
View File

@@ -62,6 +62,9 @@ By default, containers behave like other Linux processes with respect to access
Unless explicitly protected and guaranteed, all containers running on the same host share CPU, memory, and other
resources much like normal processes running on that host share those very same resources.
Specify the _execution role_ to allow ECS components to call AWS services when starting tasks.<br/>
Specify the _task role_ to allow the app running in a task to call AWS services.
<details>
<summary>Usage</summary>
@@ -172,6 +175,57 @@ Whatever the [launch type] or [capacity provider][capacity providers]:
> [!important]
> Task definition's parameters differ depending on the launch type.
Specifying the _Execution Role_ in a task definition grants that IAM Role's permissions **to the ECS container
agent**, allowing it to call AWS when starting tasks.<br/>
This is required when ECS (and **not** the app in the task's container) needs to make calls to, i.e., read a value from
Secrets Manager.<br/>
This IAM Role must allow `ecs.amazonaws.com` to assume it.
<details style='padding: 0 0 1rem 1rem'>
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowECSToAssumeThisVeryRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
</details>
Specifying the _Task Role_ in a task definition grants that IAM Role's permissions **to the task's container**.<br/>
This is required when the app in the task's container (and **not** ECS) needs to make calls to, i.e., recover a file
from S3.<br/>
This IAM Role must allow `ecs-tasks.amazonaws.com` to assume it.
<details style='padding: 0 0 1rem 1rem'>
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowECSTasksToAssumeThisVeryRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
</details>
## Standalone tasks
Refer [Amazon ECS standalone tasks].
@@ -1527,6 +1581,8 @@ Options:
- [Pass Secrets Manager secrets through Amazon ECS environment variables].
Use Secrets Manager in environment variables
When setting environment variables to secrets from Secrets Manager, it is the **execution** role (and **not** the task
role) that must have the permissions required to access them.