Retrieve application config from secure location during task start

I want to make sure I’m not storing sensitive keys and credentials in source or in docker images. Specifically I’d like to store my MySQL RDS application credentials and copy them when the container/task starts. The documentation provides an example of retrieving the ecs.config file from s3 and I’d like to do something similar.

I’m using the Amazon ECS optimized AMI with an auto scaling group that registers with my ECS cluster. I’m using the ghost docker image without any customization. Is there a way to configure what I’m trying to do?

  • What is the entry point/command required to run an etcd container in ECS?
  • Node ECS Task Not Crashing
  • Container already stopped error on ECS
  • Docker on Elastic Beanstalk - connect() failed (111: Connection refused) while connecting to upstream
  • Amazon ECS error: cannot create a task definition with no containers
  • How can I connect my autoscaling group to my ecs cluster?
  • Paperclip on docker doesn't upload image?
  • How to create a new docker image from a running container on Amazon?
  • Pull docker image from AWS ECR using remote API
  • Docker push to AWS ECR fails on Windows: no basic auth credentials
  • Container already stopped error on ECS
  • ecs-cli up command - attaching own instance profile
  • One Solution collect form web for “Retrieve application config from secure location during task start”

    You can define a volume on the host and map it to the container with Read only privileges.
    Please refer to the following documentation for configuring ECS volume for an ECS task.

    Even though the container does not have the config at build time, it will read the configs as if they are available in its own file system.

    There are many ways to secure the config on the host OS.
    In my past projects, I have achieved the same by disabling ssh into the host and injecting the config at boot-up using cloud-init.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.