Skip to content

Use secrets from secrets manager

Resources

Code

Secrets from secrets manager can be passed to the container instead of regular environment variables. The benefit of that is that these don't show up as plain text on the AWS dashboard.

secret = sm.Secret.from_secret_name_v2(
self, id="secret-1", secret_name="super-secret-secret"
)

worker_definition.add_container(
"worker-container",
image=ecs.ContainerImage.from_asset(directory="./api/project"),
cpu=256,
memory_limit_mib=512,
port_mappings=[
ecs.PortMapping(
    container_port=80, host_port=80, protocol=ecs.Protocol.TCP
)
],
secrets={
'SECRET_FROM_SM': ecs.Secret.from_secrets_manager(secret),
},
environment={
"ENV_VAR_ONE": "this will show up on the dashboard",
},
logging=ecs.AwsLogDriver(stream_prefix="worker"),
)

To use these secrets as regular environment variables, we'd have to call their .secret_value.to_string() method. They still won't show up in the cloudformation template, but will on the dashboard.

environment={
    "ENV_VAR_ONE": "env var unprotected",
    "ENV_VAR_TWO": secret.secret_value.to_string(),
}