secrets ¶
secrets:
my-docker-compose-secret:
x-secrets:
Name: str
VarName: str
LinksTo: []
JsonKeys: []
Lookup: {}
With docker-compose, you can define secrets to use for the application.
To help continue with docker-compose syntax compatibility, you can now declare your secret in docker-compose, and add an extension field which will be a direct mapping to the secret name you have in AWS Secrets Manager.
ECS ComposeX will automatically add IAM permissions to the execution role of your Task definition and will export the secret to your container, using the same name as in the compose file.
See also
Hint
For security purposes, the containers envoy / CloudWatch / xray-daemon are not getting assigned the secrets when part of the same service family.
Name ¶
Type: String
The name of the secret in secrets manager to use and import.
Hint
If you want to put the full ARN, you can. There will be a validation for it.
VarName ¶
Allows to override the environment variable name for the secret ARN that woult otherwise be auto-generated by compose-x.
secrets:
my-secret: # Results into MY_SECRET
x-secrets:
Name: /path/to/my-secret
another-secret:
x-secret:
Name: /path/to/another
VarName: MY_OTHER_SECRET
LinksTo ¶
Type: List of Strings
AllowedValues (also default):
-
EcsExecutionRole
-
EcsTaskRole
secret-name:
x-secrets:
Name: String
LinksTo:
- EcsExecutionRole
- EcsTaskRole
Warning
If you do not specify EcsExecutionRole when specifying LinksTo then you will not get the secret exposed to your container via AWS ECS Secrets property of your Container Definition
JsonKeys ¶
Type: List of objects/dicts
Note
Only Fargate 1.4.0+ Platform Version supports secrets JSON Key
SecretKey: str
VarName: str
Transform: str
SecretKey ¶
Name of the JSON Key in your secret.
VarName ¶
The Name of the secret specifically for the secret JSON key
Transform ¶
When you want to transform the original secret key into something else, here are simple transforms.
java_properties ¶
Take a string and replaces all letters to their uppercase version and replaces . with _
title ¶
Set to uppercase the first letter of every word. some.properties becomes Some.Properties
capitalize ¶
Changes all letters from lower case to uppercase but does not change anything else.
Examples ¶
secrets:
topsecret_info:
x-secrets:
Name: /path/to/my/secret
services:
serviceA:
secrets:
- topsecret_info
secrets:
abcd: {}
john:
x-secrets:
LinksTo:
- EcsExecutionRole
- EcsTaskRole
Name: SFTP/asl-cscs-files-dev
secrets:
zyx:
x-secrets:
Name: secret/with/kmskey
Lookup:
Tags:
- costcentre: lambda
- composexdev: "yes"
JsonKeys:
- SecretKey: username
VarName: PSQL_USERNAME
- SecretKey: password
VarName: PSQL_PASSWORD
secrets:
abcd: {}
john:
x-secrets:
LinksTo:
- EcsExecutionRole
- EcsTaskRole
Name: arn:aws:secretsmanager:eu-west-1:123456789012:secret:/secret/abcd
JSON Schema ¶
Model ¶
secrets.x-secrets specification ¶
|
secrets.x-secrets.spec.json |
|||
|
The secrets.x-secrets specification for ComposeX |
|||
|
type |
object |
||
|
properties |
|||
|
type |
string |
|
|
Override environment variable name for the secret |
||
|
type |
string |
||
|
pattern |
^[A-Z0-9_]+ |
||
|
type |
array |
|
|
items |
#/definitions/KeysDef |
||
|
x-resources.common.spec.json#/definitions/Lookup |
||
|
type |
array |
|
|
items |
type |
string |
|
|
enum |
EcsExecutionRole, EcsTaskRole |
||
|
additionalProperties |
False |
||
|
definitions |
|||
|
type |
object |
|
|
properties |
|||
|
type |
string |
|
|
type |
string |
|
|
type |
string |
|
|
additionalProperties |
False |
||
Definition ¶
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "secrets.x-secrets.spec.json",
"type": "object",
"title": "secrets.x-secrets specification",
"description": "The secrets.x-secrets specification for ComposeX",
"additionalProperties": false,
"properties": {
"Name": {
"type": "string"
},
"VarName": {
"type": "string",
"description": "Override environment variable name for the secret",
"pattern": "^[A-Z0-9_]+"
},
"JsonKeys": {
"type": "array",
"items": {
"$ref": "#/definitions/KeysDef"
}
},
"Lookup": {
"$ref": "x-resources.common.spec.json#/definitions/Lookup"
},
"LinksTo": {
"type": "array",
"items": {
"type": "string",
"enum": [
"EcsExecutionRole",
"EcsTaskRole"
]
}
}
},
"definitions": {
"KeysDef": {
"type": "object",
"additionalProperties": false,
"required": [
"SecretKey"
],
"properties": {
"SecretKey": {
"type": "string"
},
"VarName": {
"type": "string"
},
"Transform": {
"type": "string"
}
}
}
}
}