Aws ecs service needs redeployment to read secrets

Question

I know from experience that an ECS service needs redeployment of a new task in order to read an updated secret wonder if anyone can point me to documentation?

Answer 1

You can create the key/value pair in AWS Secrets Manager and reference that secret in the environmental variable section of the container definition inside your ECS Task using the ValueFrom option for the key and providing the ARN for the secret definition in Secrets Manager. The secret will be injected into the container as an environment variable when the container starts up and can be referenced using the container's running process language construct to access the environment variables. Here is the documentation on that workflow
Now if the secret value gets rotated or updated, you must launch a new task. If your task is part of a service, update the service and use the Force new deployment option to force the service to launch a new task.
You can make use of CloudTrail service to monitor all secrets manager related calls. All Secrets Manager actions are logged by CloudTrail as documented here . For example, calls to the CreateSecret, GetSecretValue and RotateSecret sections generate entries in the CloudTrail. You can then create cloudwatch events and alarms to get notification based on those CloudTrail calls and then trigger a new deployment using Lambda function

Reference: Monitor Secrets Manager secrets
Managing Secrets for Amazon ECS Applications Using Parameter Store and IAM Roles for Tasks