Manage your Amazon Web Services Docker secrets
AWS ECS Docker Secrets CLI
by Brian Duggan
Storing and distributing runtime secrets continues to be an area of focus for the DevOps community. AWS Key Management Service used in conjunction with S3 and IAM offers a lightweight option and eliminates the need for an additional deployment dependency. To make it easier for developers, we decided to wrap it up into a CLI so you can instantly get the benefits without having to understand the intricacies.
How to Use
git clone -o github https://github.com/promptworks/aws-secrets cd aws-secrets && make install
aws-secrets-init-resources my-app-name echo "export SECRET_KEY=xyzzy" > my-app-env aws-secrets-send my-app-name my-app-env
Adding to a Dockerfile
CMD ["aws-secrets-run-in-env", "my-app-name", "command_to_start_app"]
Complete instructions, including how to retrieve and use the secrets on any AWS instance are in the project's README.
Amazon wrote their own version of our original post a few months ago: How to Manage Secrets for Amazon EC2 Container Service–Based Applications by Using Amazon S3 and Docker.
Amazon's solution uses encrypted S3 buckets and CloudFormation templates to create the resources with appropriate subnets, routing tables, security groups, etc. It should be noted that their solution uses server-side encryption on the S3 buckets and doesn't use KMS, which would provide an audit log. You also have to write an entrypoint script to retrieve the secrets and load them into the environment of the running process.
Promptworks' aws-secrets Advantages
As a commenter on the AWS blog post pointed out, their solution "still requires too many manual steps. Amazon web services (AWS) should invest in tools to automate more steps without being exposed to AWS internals." Our AWS Secrets CLI provides that automation and abstraction. It also relies less on plumbing like CloudFormation and encrypts your secrets client-side.