# How to get secrets from the AWS Parameter Store into containers in ECS

on
Oct 22, 2019
in

On AWS we often use the AWS Parameter Store, to store secrets safely. But accessing the secrets from an application running in ECS, is rather intrusive. You have to call the AWS SSM API either in the application or in the entrypoint script of the container. In this blog we show you how a simple utility allows you to specify the references to the secrets as environment variables. It even allows you to specify sensible defaults.

## How does it work?

To use the utility, follow these two steps:

1. include the executable in your container and make it your Container entrypoint
2. Define environment variables with a URI using the ssm: protocol

### Include the executable

FROM docker.io/binxio/ssm-get-parameter:0.2.3 AS ssm

FROM alpine
COPY --from=ssm /ssm-get-parameter  /usr/local/bin
ENTRYPOINT [ "/usr/local/bin/entrypoint" ]


Make sure to move the old entrypoint to the CMD of the container.

### Define the environment variable

To retrieve the secrets into your container, define one or more environment variables with a URI using the ssm: protocol:

ENV PGPASSWORD=ssm:///postgres/root/password


If the parameters cannot be retrieved, the container will exit with an error. If you wish to continue, specify a default parameter:

ENV PGPASSWORD=ssm:///postgres/root/password?default=postgres


This will allow to run the container outside of AWS. You can also write the content of the secret
to a file by specifying the destination parameter.

ENV PRIVATE_KEY=ssm:///private-key?destination=/tmp/private-key


The value of the environment variable will be replaced with the name of the file, in this case /tmp/private-key.
If the parameter cannot be retrieved and the destination file already exists, the contents of that file will
be used as the default value.
Finally, if you need the secret in a string, you can use the template parameter:

ENV PGPASSFILE=ssm:///postgres/root/password?\
template=localhost:5432:kong:kong:{{.}}%0a&\
destination=\$HOME/.pgpass&\
default=postgres


## Conclusion

With the ssm-get-parameter utility you have an non-intrusive way of retrieving secrets from the parameter store and save them as environment variable values or in a file in your container. By using the default option, you can provide sensible defaults which allows you to run your container independent of AWS.
If you are looking for the same thing in Google Cloud Platform, read how to get secrets from the Google Secret Manager into your container.

Mark van Holsteijn is a senior software systems architect, and CTO of binx.io. He is passionate about removing waste in the software delivery process and keeping things clear and simple.