Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add AWS Secret manager integration to Container Definition #12

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add AWS Secret manager integration to Container Definition #12

wants to merge 1 commit into from

Conversation

luiseterc
Copy link

@luiseterc luiseterc commented Aug 4, 2021
edited
Loading

This PR enables a Elastic Profile agent configuration to integrate with the AWS Secrets Manager by adding three new fields to the profile template:

  • Secret name: The environment variable where the Secret value will be assigned to and accesible from the ECS task
  • Secret value (valueFrom): The secret to expose to the container. The supported values are either the full ARN of the AWS Secrets Manager secret or the full ARN of the parameter in the AWS Systems Manager Parameter Store.
  • Execution Role ARN: The Amazon Resource Name (ARN) of the task execution role that grants the Amazon ECS container agent permission to make AWS API calls on your behalf.

If all these variables are set and not blank, the following JSON key is added to the ContainerDefinition:

{ "containerDefinitions": [{ "secrets": [{ "name": "environment_variable_name", "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:secret_name-AbCdEf" }] }] }

So far only the "referencing a full secret" use case is implemented as described in https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-secrets.html. Some work still needed to support other use cases such as referencing a specific key within a secret.

Tested successfully on a real production GoCD environment.

@ghost
Copy link

ghost commented Aug 4, 2021
edited by ghost
Loading

CLA assistant check
All committers have signed the CLA.

@luiseterc
Copy link
Author

Any plans to merge this PR or is that already supported on most recent versions?

@chadlwilson
Copy link
Member

Unfortunately there are few folks in a position to review PRs right now, or in a position to test/validate them and make a call on whether they make sense for the plugins.

Personally, I'm not quite sure what the role of this is, compared to https://github.com/gocd/gocd-aws-based-secrets-plugin - what does this allow you to achieve which you can't do by allowing the GoCD server to retrieve secrets and distribute them to relevant build jobs running on an agent on your behalf? Is it just an alternative which doesn't involve the server needing direct access to secrets?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@luiseterc @chadlwilson