将AWS凭证存储在ECS服务中的位置

Question

I have an ECS service, which requires AWS credentials. I use ECR to store docker images and jenkins visible only for VPN connections to build images.

I see 2 possibilities to provide AWS credentials to the service

1. Store them as Jenkins secret and insert into the docker image during build
2. Make them a part of the environment when creating ECS Task definition

What is more secure? Are there other possibilities?

Answer 1

First thing, You should not use AWS credentials while working inside AWS, you should assign the role to Task definition or services instead of passing the credentials to docker build or task definition.

With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task. Applications must sign their AWS API requests with AWS credentials, and this feature provides a strategy for managing credentials for your applications to use, similar to the way that Amazon EC2 instance profiles provide credentials to EC2 instances

So sometimes the underlying application is not designed in a way that can use role so in this I will recommend storing ENV in the task definition but again from where to get the value of ENV?

Task definition support two methods to deal with ENV,

• Plain text as direct value
• Use 'valueFrom' attribute for ECS task definition

The following is a snippet of a task definition showing the format when referencing an Systems Manager Parameter Store parameter .

{
  "containerDefinitions": [{
    "secrets": [{
      "name": "environment_variable_name",
      "valueFrom": "arn:aws:ssm:region:aws_account_id:parameter/parameter_name"
    }]
  }]
}

This is the most secure and recommended method by AWS documentation so this is the better way as compared to ENV in plain text inside Task definition or ENV in Dockerfile.

You can read more here and systems-manager-parameter-store .

But to use these you will must provide permission to task definition to access systems-manager-parameter-store.