1

I am trying to pass in SSL certificate to AWS SSM parameter store the SSL certificate is password protected as well

my question is how do i retrieve this as a certificate file inside the containers in ECS? I do know how to use SSM parameter store to store secret environment variables BUT how do i use it to create a secret file to a location on containers? We have a string and a file here, how does SSM manage files?

Thanks

uberrebu
  • 3,597
  • 9
  • 38
  • 73
  • Parameter Store isn't a file storage mechanism. You could store the cert in S3 and store an S3 URI in Parameter Store. Or you could perhaps export the cert in some text format (maybe base64-encoded?) and store that in Parameter Store. You should also understand what options ACM has that might help you generate and rotate certs, perhaps deployed on ALB/NLB, if that's acceptable. – jarmod Dec 05 '19 at 17:33

2 Answers2

1

I'm not aware of a way to create a file from SSM, but I expect your ENTRYPOINT in the Docker container could handle this logic

Task Definition Snippet

{
  "containerDefinitions": [{
    "secrets": [{
      "name": "MY_SSM_CERT_FILE",
      "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:MY_SSM_CERT_FILE"
    },
    {
      "name": "MY_SSM_CERT_FILE_LOCATION",
      "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:MY_SSM_CERT_FILE_LOCATION"
    }]
  }]
}

entrypoint.sh

echo "$MY_SSM_CERT_FILE" >> $MY_SSM_CERT_FILE_LOCATION
// Run rest of the logic for application

Dockerfile

FROM ubuntu:16.04

COPY ./entrypoint.sh .entrypoint.sh

ENTRYPOINT ["./entrypoint.sh"]
DanielC
  • 921
  • 7
  • 12
  • is `entrypoint.sh` script the only way to go with this? any other way? can the container be able to pull the secret as a file any other way? – uberrebu Dec 05 '19 at 17:41
  • You could use something like EFS to store the files you want, then mount them when the container launches. But I think that'd be more orchestration. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_efs.html – DanielC Dec 05 '19 at 17:52
  • Otherwise, extend your deployment pipeline. Create a golden image which already has the cert on it, and uses SSM to add the cert. Then downstream images won't need to manage it at all – DanielC Dec 05 '19 at 17:53
  • i see..yeah this seems like what i wanted...will mark as answer as soon as i try this and it works...thanks for taking the time – uberrebu Dec 05 '19 at 17:53
0

Why don't you use AWS Secret Manager which can complement AWS SSM? I think secrets manager supports secrets file:

$ aws secretsmanager create-secret --name TestSecret --secret-string file://secret.txt       # The Secrets Manager command takes the --secret-string parameter from the contents of the file

see this link for further information: https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html

The link below shows how you can integrate Secrets manager with SSM https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html

Hope this helps

Parth Mehta
  • 1,869
  • 5
  • 15