How to inject all secrets into an ECS task using CDK

Question

I'm using AWS-CDK to deploy an ECS cluster, and I'd like to add secrets from the Secrets Manager. The secret is a large JSON blob with many key/value pairs. I'm including the secrets in my task definition using the following in my task definition:

secrets: {
  FOO: Secret.fromSecretsManager(mySecret, 'FOO'),
  BAR: Secret.fromSecretsManager(mySecret, 'BAR'),
  BAZ: Secret.fromSecretsManager(mySecret, 'BAZ'),
  ...
}

This works fine, but I have to manually add every single secret key to this task definition, which is starting to get unwieldy.

Is it possible to dynamically inject all key/value pairs that are defined in a given secret?

This is in Typescript, but I suspect the usage of the CDK constructs should be the same across all languages. — calvinyoung, Oct 27 '21 at 04:49

score 1 · Accepted Answer · answered Oct 27 '21 at 10:38

1

CDK doesn't know what fields your secret has, and the task definition has to have each secret specified explicitly.

So your only solution, besides modifying the structure of the Secret (sounds like you could do with multiple secrets), would be to pass the whole JSON string to the container and have it parse it out.

answered Oct 27 '21 at 10:38

gshpychka

8,523
1
11
31

How ? You said what to do, you never said how – Jeremiah Jan 08 '23 at 01:59
1

Not sure I understand the question. If you're asking how to pass the entire secret to the container, it's simply `secrets: { FOO: Secret.fromSecretsManager(mySecret) };` – gshpychka Jan 09 '23 at 12:31
Yes thanks. I later found it also. ```secrets: { SECRET_NAME: ecs.Secret.fromSecretsManager(mySecret, 'SECRET_NAME') }``` – Jeremiah Jan 10 '23 at 14:21
No, your example passes a single JSON field named 'SECRET_NAME', not the entire secret – gshpychka Jan 11 '23 at 15:38

How to inject *all* secrets into an ECS task using CDK

1 Answers1

How to inject all secrets into an ECS task using CDK