Retrieve application config from secure location during task start

I want to make sure I’m not storing sensitive keys and credentials in source or in docker images. Specifically I’d like to store my MySQL RDS application credentials and copy them when the container/task starts. The documentation provides an example of retrieving the ecs.config file from s3 and I’d like to do something similar.

I’m using the Amazon ECS optimized AMI with an auto scaling group that registers with my ECS cluster. I’m using the ghost docker image without any customization. Is there a way to configure what I’m trying to do?

  • Node ECS Task Not Crashing
  • Refer to another service/task running in same ECS cluster
  • Running Docker Image with AWS ECS
  • ecs-cli compose service up doesn't terminate
  • AWS ECS volumes do not share any files
  • Private docker registry authentication in aws ecs optimized AMI is not successful
  • Akka Cluster with bind-port and bind-hostname
  • AWS ECS container logs design pattern
  • AWS ecs task definition variables
  • Docker on Elastic Beanstalk - connect() failed (111: Connection refused) while connecting to upstream
  • ecs-cli compose service up doesn't terminate
  • What is the entry point/command required to run an etcd container in ECS?
  • One Solution collect form web for “Retrieve application config from secure location during task start”

    You can define a volume on the host and map it to the container with Read only privileges.
    Please refer to the following documentation for configuring ECS volume for an ECS task.

    Even though the container does not have the config at build time, it will read the configs as if they are available in its own file system.

    There are many ways to secure the config on the host OS.
    In my past projects, I have achieved the same by disabling ssh into the host and injecting the config at boot-up using cloud-init.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.