使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

AWS Batch CDK: How to pass container secrets?

0

AWS CDK released a breaking change last week that affects users of the aws_batch_alpha module. Previous to that change the module allowed passing secrets to containers as follows:

db_secret = secretsmanager.Secret(self, "secret")

batch.JobDefinition(self, "batch-job-def-secrets",
    container=batch.JobDefinitionContainer(
        image=ecs.EcrImage.from_registry("docker/whalesay"),
        secrets={
            "PASSWORD": ecs.Secret.from_secrets_manager(db_secret, "password")
        }
    )
)

This no longer works. I suppose now secrets need to be set via EcsEc2ContainerDefinition & co. I have tried a few things but have not found a way to do what the example above does. Could some provide an example that works with the new AWS Batch CDK API?

主題
運算安全性、身分識別與合規AWS 雲端開發套件 (CDK)
標籤
AWS BatchAWS Secrets ManagerAWS 雲端開發套件 (CDK)
語言
English
Ralf J
已提問 1 年前檢視次數 602 次
1 個回答
0

It looks like the primary change here was to split the resource types into separate ECS and EKS types.

So, instead of batch.JobDefinition, there's batch.EcsJobDefinition [1], along with batch.MultiNodeJobDefinition [2], as well as an EKS equivalent. Either of these types will accept a container parameter of the type batch.EcsEc2ContainerDefinition [3]. In turn, the container definition will accept a secrets parameter [4], which should work with the same ecs.Secret.from_secrets_manager call you currently have.

Keep in mind that this is untested, but I believe your code should look something like this:

db_secret = secretsmanager.Secret(self, "secret")

batch.EcsJobDefinition(self, "batch-job-def-secrets",
    container=batch.EcsEc2ContainerDefinition(
        image=ecs.EcrImage.from_registry("docker/whalesay"),
        secrets={
            "PASSWORD": ecs.Secret.from_secrets_manager(db_secret, "password")
        }
    )
)

There may be some additional minor changes needed that I'm overlooking, but it does look like these new types mostly align with the previous ones for what parameters they expect. Overall though, it looks to me like a matter of simply using EcsJobDefinition in place of JobDefinition, and EcsEc2ContainerDefinition in place of JobDefinitionContainer.

[1] https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_batch_alpha/EcsJobDefinition.html [2] https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_batch_alpha/MultiNodeJobDefinition.html [3] https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_batch_alpha/EcsEc2ContainerDefinition.html [4] https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_secretsmanager/ISecret.html

AWS
支援工程師
Wayne_G
已回答 1 年前
  • Ralf J
    1 年前

    Thanks, Wayne.

    Like you, I was expecting that the example would carry over to the new API in straightforward way. But it does not carry over: the type for secrets in EcsEc2ContainerDefinition is Sequence, not Dict, so we cannot specify variable names like PASSWORD to map a secrets to environment variables in a docker container. Hence my post.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容