Enable secure access to secrets for AWS ECS containers using Terraform - ecs-secrets-manager module

Secrets, like API keys, security credentials, and encryption keys, are often injected into AWS ECS containers using just environment variables. I’ve also seen solutions using dedicated tools like AWS SecretsManager incorrectly. As a result, secrets were passed as environment variables again, which means they were hardcoded in the ECS task/container definition, breaking the least privilege principle and violating security benchmark recommendations.

To resolve this issue I’ve created an ecs-secrets-manager Terraform module.

  • It uses the AWS Secrets Manager service to store, retrieve and rotate secrets.
  • No secret is hardcoded in the container definition. AWS injects them on the container startup.
  • You can restrict and audit access to the Secrets Manager, no secret will be accessed without your permission and knowledge.

Feel free to use the module. Any feedback is welcomed!


1 Like

That is great :heart_eyes: have you seen someone using sensitive data inside container definitions? or was there a different inspiration?

Yes, that was the inspiration. I’ve seen 2 incorrect approaches.

One was just hardcoding secrets in the container definition environment variables using terraform .tf files.

The second one was using AWS Secrets Manager to store secrets but because of incorrect terraform configuration, secrets were fetched during terraforming apply, and hardcoded in the container definition. I think that’s a more dangerous solution, it looks ok at first glance, but has almost the same risks as the first one.

I wanted to create a module that would hide the configuration overhead and deliver secure secrets management for ECS containers