Revision as of 21:42, 20 April 2021 by Btingle (talk | contribs) (Created page with " <nowiki> cat > ecs-secret-permissions-policy.txt <<EOF { "Version":"2012-10-17", "Statement": [ { "Effect":"Allow", ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
cat > ecs-secret-permissions-policy.txt <<EOF
       "Statement": [
                       "Action": [
                       "Resource": [
                                "<aws secret key arn>",
                                "<dockerhub pw arn>",

aws iam put-role-policy --role-name ecsInstanceRole --policy-document file://ecs-secret-permissions-policy.txt
aws iam list-role-policies --role-name ecsInstanceRole

Go to EC2 console, "Launch Templates"

Create blank template, go to advanced settings. Set iam user to your ecsInstanceRole, go to "User Data" and paste the following code:

MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="==BOUNDARY=="

MIME-Version: 1.0
Content-Type: text/x-shellscript; charset="us-ascii"

export AWS_DEFAULT_REGION=us-west-1
docker_auth=$(aws secretsmanager get-secret-value --secret-id dockerpw | grep "SecretString" | cut -d':' -f2 | sed 's/\"//g' | sed 's/,//g' | tail -c +2)

echo ECS_ENGINE_AUTH_TYPE=docker >> /etc/ecs/ecs.config
echo ECS_ENGINE_AUTH_DATA={\"\":{\"auth\":\"${docker_auth}\",\"email\":\"${docker_email}\",\"username\":\"${docker_user}\"}} >> /etc/ecs/ecs.config


Now, create a new compute environment in aws batch that uses this launch template and the ecsInstanceRole as the instance role. Set your queue to use this compute environment only. If your runtime container/script uses the aws api, it should be allowed to fetch your private key from the secretsmanager