Ben DOCKAWS Notes - Revision history

Btingle: Created page with " cat > ecs-secret-permissions-policy.txt <
2021-04-20T21:42:05Z

Created page with " <nowiki> cat > ecs-secret-permissions-policy.txt <<EOF { "Version":"2012-10-17", "Statement": [ { "Effect":"Allow", ..."

New page
<nowiki>
cat > ecs-secret-permissions-policy.txt <<EOF
{
"Version":"2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"<aws secret key arn>",
"<dockerhub pw arn>",
"<etc...>"
]
}
]

}
EOF</nowiki>

<nowiki>
aws iam put-role-policy --role-name ecsInstanceRole --policy-document file://ecs-secret-permissions-policy.txt
aws iam list-role-policies --role-name ecsInstanceRole</nowiki>

Go to EC2 console, "Launch Templates"

Create blank template, go to advanced settings. Set iam user to your ecsInstanceRole, go to "User Data" and paste the following code:

<nowiki>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="==BOUNDARY=="

--==BOUNDARY==
MIME-Version: 1.0
Content-Type: text/x-shellscript; charset="us-ascii"

#!/bin/bash
docker_email=jir322@gmail.com
docker_user=jir322
export AWS_DEFAULT_REGION=us-west-1
docker_auth=$(aws secretsmanager get-secret-value --secret-id dockerpw | grep "SecretString" | cut -d':' -f2 | sed 's/\"//g' | sed 's/,//g' | tail -c +2)

echo ECS_ENGINE_AUTH_TYPE=docker >> /etc/ecs/ecs.config
echo ECS_ENGINE_AUTH_DATA={\"https://index.docker.io/v1/\":{\"auth\":\"${docker_auth}\",\"email\":\"${docker_email}\",\"username\":\"${docker_user}\"}} >> /etc/ecs/ecs.config

--==BOUNDARY==</nowiki>

Now, create a new compute environment in aws batch that uses this launch template and the ecsInstanceRole as the instance role. Set your queue to use this compute environment only. If your runtime container/script uses the aws api, it should be allowed to fetch your private key from the secretsmanager