使用 AWS SSM Parameter Store 的 SSL 证书

Question

I am trying to pass in SSL certificate to AWS SSM parameter store the SSL certificate is password protected as well

my question is how do i retrieve this as a certificate file inside the containers in ECS? I do know how to use SSM parameter store to store secret environment variables BUT how do i use it to create a secret file to a location on containers? We have a string and a file here, how does SSM manage files?

Thanks

Answer 1

I'm not aware of a way to create a file from SSM, but I expect your ENTRYPOINT in the Docker container could handle this logic

Task Definition Snippet

{
  "containerDefinitions": [{
    "secrets": [{
      "name": "MY_SSM_CERT_FILE",
      "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:MY_SSM_CERT_FILE"
    },
    {
      "name": "MY_SSM_CERT_FILE_LOCATION",
      "valueFrom": "arn:aws:secretsmanager:region:aws_account_id:secret:MY_SSM_CERT_FILE_LOCATION"
    }]
  }]
}

entrypoint.sh

echo "$MY_SSM_CERT_FILE" >> $MY_SSM_CERT_FILE_LOCATION
// Run rest of the logic for application

Dockerfile

FROM ubuntu:16.04

COPY ./entrypoint.sh .entrypoint.sh

ENTRYPOINT ["./entrypoint.sh"]

Answer 2

Why don't you use AWS Secret Manager which can complement AWS SSM? I think secrets manager supports secrets file:

$ aws secretsmanager create-secret --name TestSecret --secret-string file://secret.txt       # The Secrets Manager command takes the --secret-string parameter from the contents of the file

see this link for further information: https://docs.aws.amazon.com/secretsmanager/latest/userguide/best-practices.html

The link below shows how you can integrate Secrets manager with SSM https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html

Hope this helps