Book Image

Docker on Amazon Web Services

By : Justin Menga
Book Image

Docker on Amazon Web Services

By: Justin Menga

Overview of this book

Over the last few years, Docker has been the gold standard for building and distributing container applications. Amazon Web Services (AWS) is a leader in public cloud computing, and was the first to offer a managed container platform in the form of the Elastic Container Service (ECS). Docker on Amazon Web Services starts with the basics of containers, Docker, and AWS, before teaching you how to install Docker on your local machine and establish access to your AWS account. You'll then dig deeper into the ECS, a native container management platform provided by AWS that simplifies management and operation of your Docker clusters and applications for no additional cost. Once you have got to grips with the basics, you'll solve key operational challenges, including secrets management and auto-scaling your infrastructure and applications. You'll explore alternative strategies for deploying and running your Docker applications on AWS, including Fargate and ECS Service Discovery, Elastic Beanstalk, Docker Swarm and Elastic Kubernetes Service (EKS). In addition to this, there will be a strong focus on adopting an Infrastructure as Code (IaC) approach using AWS CloudFormation. By the end of this book, you'll not only understand how to run Docker on AWS, but also be able to build real-world, secure, and scalable container platforms in the cloud.
Table of Contents (20 chapters)

Injecting secrets at container startup


One challenge with secrets management in Docker is passing secrets to your containers in a secure fashion. 

The following diagram illustrates a somewhat naive but understandable approach that uses environment variables to inject your secrets directly as plaintext values, which is the approach we took in Chapter 8: 

Injecting passwords via environment variables

 

This approach is simple to configure and understand, however it is not considered best practice from a security perspective. When you take such an approach, you can view your credentials in plaintext by inspecting the ECS task definition, and if you run docker inspect commands on your ECS container instances, you can also view your credentials in plaintext. You may also inadvertently end up logging your secrets using this approach, which could be shared inadvertently with unauthorized third parties, so clearly this approach is not considered good practice.

An alternative approach that is considered...