Injecting secrets at container startup
One challenge with secrets management in Docker is passing secrets to your containers in a secure fashion.
The following diagram illustrates a somewhat naive but understandable approach that uses environment variables to inject your secrets directly as plaintext values, which is the approach we took in Chapter 8:
Injecting passwords via environment variables
This approach is simple to configure and understand, however it is not considered best practice from a security perspective. When you take such an approach, you can view your credentials in plaintext by inspecting the ECS task definition, and if you run docker inspect
commands on your ECS container instances, you can also view your credentials in plaintext. You may also inadvertently end up logging your secrets using this approach, which could be shared inadvertently with unauthorized third parties, so clearly this approach is not considered good practice.
An alternative approach that is considered...