(aws-ecs): pass a secret to ContainerImage's buildArgs
See original GitHub issueCurrently it is possible to pass only strings to ContainerImage’s buildArgs.
Feature request: Add an option to pass a secret to ContainerImage
. This parameter can be called buildArgsSecrets
or secrets
as for QueueProcessingFargateService
.
Use Case
I need to create a .ssh key on the machine at build time.
Proposed Solution
const image = ContainerImage.fromAsset('../project-processor', {
buildArgsSecrets: {
GIT_SSH_KEY: EcsSecret.fromSecretsManager(secret, 'gitSshKey'),
}
});
const service = new QueueProcessingFargateService(this, 'QueueProcessingFargateService', {
cluster,
queue,
image,
secrets: {
BOT_TOKEN: EcsSecret.fromSecretsManager(secret, 'botToken'),
}
});
Dockerfile:
ARG GIT_SSH_KEY
RUN echo "${GIT_SSH_KEY}" > /root/.ssh/git_user_key
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 2 years ago
- Reactions:49
- Comments:9 (2 by maintainers)
Top Results From Across the Web
Pass secrets or sensitive information securely to containers in ...
I want to pass secrets or sensitive information securely to containers in a task for Amazon Elastic Container Service (Amazon ECS).
Read more >Container Modules - Garden
container modules can be used to just build container images, or they can specify deployable services through the optional services key, as well...
Read more >Use kaniko to build Docker images - GitLab Docs
kaniko is a tool to build container images from a Dockerfile, inside a container ... Passing the http_proxy environment variables as build arguments...
Read more >docker aws cli credentials
Docker build args: Running command: docker build -t ... Directly pass AWS Access Key and Secret Key to docker container as environment variable...
Read more >awsecs - Go Packages
SymlinkFollowMode `field:"optional" json:"followSymlinks" yaml:"followSymlinks"` // Build args to pass to the `docker build` command.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
We have also a need for this. I originally opened https://github.com/aws/aws-cdk/issues/11623 which was closed as a duplicate of https://github.com/aws/aws-cdk/issues/10999 which is marked as resolved but I think the implementation is still missing.
This is a very essential step for most of our Docker builds where we need to fetch/authenticate to internal repositories.
We also have a similar need where we need to use have secrets injected via buildArgs (specifically, Artifactory credentials). The suggestions here are viable and would work for us as well. One other thought - Could the buildArgs value be optional? Something like:
If the value is undefined, CDK could pass the build args to the docker build command without those values, and rely on the local environment (see https://docs.docker.com/engine/reference/commandline/build/#set-build-time-variables---build-arg). This would allow folks to define and/or set those values on their continuous integration as environment variables, but not end up exposing/storing them in the cdk synth output.