AWS ECS - Passing SSM Parameters to Docker Compose scripts

splitlamp · June 24, 2020, 8:43am

I am attempting to port my docker-compose scripts for Parse Server & Dashboard to AWS ECS. Mostly I am using the ecs-cli command to perform the actions as it allows a docker-compose.yml file as an input. This does require some alterations, but the majority of the configuration is unchanged. I have it running using the same local ENV_VAR files, i.e. .env.

I am looking to replace the use of local ENV_VAR files to use secure storage for this, for an automated IaC deployment pattern. Has anyone been able to pass AWS Systems Manager (SSM) parameters as the environment variables within the “parse server” service?

The biggest factor to this the config for reading in these values occurs in a separate ecs-params.yml file located in the same location. This is my current config:

version: 1
task_definition:
  task_execution_role: "arn:aws:iam::<account>:role/ecsTaskExecutionRole"
  services:
    parse:
      cpu_shares: 100
      mem_limit: 128000000
      secrets:
        - value_from: "arn:aws:ssm:<region>:<account>:parameter/KEY1"
          name: "VAR_PARSE_KEY1"
        - value_from: "arn:aws:ssm:<region>:<account>:parameter/KEY2"
          name: "VAR_PARSE_KEY2"

Then in my docker-compose.yml file, I have this config:

version: '3'
services:
  parse:
    image: parseplatform/parse-server:4.2.0
    environment:
      - S3_ACCESS_KEY=${VAR_S3_ACCESS_KEY}

In the AWS Console I can see the SSM parameter configs in the Task Definitions (Task Definitions > task-name > task-name:vv > Builder tab > Expand Parse container > Scroll down to see the environment variables.

VAR_PARSE_KEY1 arn:aws:ssm:<region>:<account>:parameter/VAR_S3_ACCESS_KEY

When I deploy, I am seeing conflicting info in my environment. I am using the AWS Console, as well as the Portainer container that I use for container management.

AWS Console > ECS > Clusters > cluster-name > Tasks tab > Click the Parse container link > In Containers, expand Parse > I CANNOT see these ENV_VARs

In Portainer > Containers > parse-container > Scroll to ENV_VARs, and these parameters are retrieved

In my docker-compose.yml, I have tried assigning the ENV_VARs in the -environment: section but it comes out blank. My guess is that the SSM parameter isn’t retrieved ahead of assigning it to the ENV_VAR?

Anyone have experience of this situation?