By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Batch CDK: How to pass container secrets?

0

AWS CDK released a breaking change last week that affects users of the aws_batch_alpha module. Previous to that change the module allowed passing secrets to containers as follows:

db_secret = secretsmanager.Secret(self, "secret")

batch.JobDefinition(self, "batch-job-def-secrets",
    container=batch.JobDefinitionContainer(
        image=ecs.EcrImage.from_registry("docker/whalesay"),
        secrets={
            "PASSWORD": ecs.Secret.from_secrets_manager(db_secret, "password")
        }
    )
)

This no longer works. I suppose now secrets need to be set via EcsEc2ContainerDefinition & co. I have tried a few things but have not found a way to do what the example above does. Could some provide an example that works with the new AWS Batch CDK API?

Topics
ComputeSecurity, Identity, & ComplianceAWS Cloud Development Kit (CDK)
Tags
AWS BatchAWS Secrets ManagerAWS Cloud Development Kit (CDK)
Language
English
Ralf J
asked a year ago588 views
1 Answer
0

It looks like the primary change here was to split the resource types into separate ECS and EKS types.

So, instead of batch.JobDefinition, there's batch.EcsJobDefinition [1], along with batch.MultiNodeJobDefinition [2], as well as an EKS equivalent. Either of these types will accept a container parameter of the type batch.EcsEc2ContainerDefinition [3]. In turn, the container definition will accept a secrets parameter [4], which should work with the same ecs.Secret.from_secrets_manager call you currently have.

Keep in mind that this is untested, but I believe your code should look something like this:

db_secret = secretsmanager.Secret(self, "secret")

batch.EcsJobDefinition(self, "batch-job-def-secrets",
    container=batch.EcsEc2ContainerDefinition(
        image=ecs.EcrImage.from_registry("docker/whalesay"),
        secrets={
            "PASSWORD": ecs.Secret.from_secrets_manager(db_secret, "password")
        }
    )
)

There may be some additional minor changes needed that I'm overlooking, but it does look like these new types mostly align with the previous ones for what parameters they expect. Overall though, it looks to me like a matter of simply using EcsJobDefinition in place of JobDefinition, and EcsEc2ContainerDefinition in place of JobDefinitionContainer.

[1] https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_batch_alpha/EcsJobDefinition.html [2] https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_batch_alpha/MultiNodeJobDefinition.html [3] https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_batch_alpha/EcsEc2ContainerDefinition.html [4] https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_secretsmanager/ISecret.html

AWS
SUPPORT ENGINEER
Wayne_G
answered a year ago
  • Ralf J
    a year ago

    Thanks, Wayne.

    Like you, I was expecting that the example would carry over to the new API in straightforward way. But it does not carry over: the type for secrets in EcsEc2ContainerDefinition is Sequence, not Dict, so we cannot specify variable names like PASSWORD to map a secrets to environment variables in a docker container. Hence my post.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content