Options for injecting RDS IAM auth secrets into a container on ECS?

0

I have an application image that is distributed by a vendor, and I cannot modify it. The image relies on having the database password in the environment (e.g. DBPASSWORD).

I want to use RDS IAM auth, which, of course, requires the temporary password to be generated using AWS API.

I can think of two options, but both seem to be hackish and I was wondering if there are better, more native options available for this.

  1. Use a sidecar container that runs before the app container and generates the password and injects it somehow, e.g. using a shared file.
  2. Same as (1) using sidecar, but before exit, saves it in a secret manager secret, which then app container reads natively. For this one though, I am not sure at which point the secrets are read, JIT when the container runs, or at the start of the entire task, in which case the app will get a stale secret, of course.
1 Answer
0

Hello,

The Option is Using AWS Secrets Manager for Secure Secret Management in ECS, Avoid hardcoding secrets in container images.

  • Store sensitive information like database credentials in AWS Secrets Manager.

  • Inject secrets as environment variables into your ECS task definition.

  • This ensures security, flexibility, and prevents accidental exposure of sensitive data.

refer the documentation: https://repost.aws/knowledge-center/ecs-data-security-container-task

profile picture
EXPERT
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions