Ben DOCKAWS Notes

From DISI
Jump to navigation Jump to search
cat > ecs-secret-permissions-policy.txt <<EOF
{
       "Version":"2012-10-17",
       "Statement": [
               {
                       "Effect":"Allow",
                       "Action": [
                               "secretsmanager:GetSecretValue"
                       ],
                       "Resource": [
                                "<aws secret key arn>",
                                "<dockerhub pw arn>",
                                "<etc...>"
                       ]
               }
       ]

}
EOF
aws iam put-role-policy --role-name ecsInstanceRole --policy-document file://ecs-secret-permissions-policy.txt
aws iam list-role-policies --role-name ecsInstanceRole

Go to EC2 console, "Launch Templates"

Create blank template, go to advanced settings. Set iam user to your ecsInstanceRole, go to "User Data" and paste the following code:

MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="==BOUNDARY=="

--==BOUNDARY==
MIME-Version: 1.0
Content-Type: text/x-shellscript; charset="us-ascii"

#!/bin/bash
docker_email=jir322@gmail.com
docker_user=jir322
export AWS_DEFAULT_REGION=us-west-1
docker_auth=$(aws secretsmanager get-secret-value --secret-id dockerpw | grep "SecretString" | cut -d':' -f2 | sed 's/\"//g' | sed 's/,//g' | tail -c +2)

echo ECS_ENGINE_AUTH_TYPE=docker >> /etc/ecs/ecs.config
echo ECS_ENGINE_AUTH_DATA={\"https://index.docker.io/v1/\":{\"auth\":\"${docker_auth}\",\"email\":\"${docker_email}\",\"username\":\"${docker_user}\"}} >> /etc/ecs/ecs.config

--==BOUNDARY==

Now, create a new compute environment in aws batch that uses this launch template and the ecsInstanceRole as the instance role. Set your queue to use this compute environment only. If your runtime container/script uses the aws api, it should be allowed to fetch your private key from the secretsmanager