ECS with Docker Compose environment variables

Question

I'm deploying to ECS with the Docker Compose API, however, I'm sort of confused about environment variables.

Right now my docker-compose.yml looks like this:

version: "3.8"

services:
  simple-http:
    image: "${IMAGE}"
    secrets:
      - message

secrets:
  message:
    name: "arn:aws:ssm:<AWS_REGION>:<AWS_ACCOUNT_ID>:parameter/test-env"
    external: true

Now in my Container Definitions, I get a Simplehttp_Secrets_InitContainer that references this environment variable as message and with the correct ARN, but there is no variable named message inside my running container.

I'm a little confused, as I thought this was the correct way of passing env's such as DB-passwords, AWS credentials, and so forth.

In the docs we see:

services:
  test:
    image: "image"
    environment:
      - "FOO=BAR"

But is this the right and secure way of doing this? Am I missing something?

Answer 1

I haven't played much with secrets in this ECS/Docker integration but there are a couple of things that don't add up between your understanding and the docs . First the integration seems to be working with Secrets Manager and not SSM . Second, according to the doc the content won't be available as a variable but rather as a flat file at runtime at /run/secrets/message (in your example).

Check out this page for the fine details: https://docs.docker.com/cloud/ecs-integration/#secrets