为了使用amazon-ecs-render-task-definition GitHub动作将新任务部署到ECS im。 该操作接收task-definition.json作为参数。此JSON包含我不想推送的秘密,是否可以将一些参数注入此JSON?也许来自AWS Secrets Manager?
例如- task-definition.json
{
"containerDefinitions": [
{
"name": "wordpress",
"links": [
"mysql"
],
"image": "wordpress",
"essential": true,
"portMappings": [
{
"containerPort": 80,
"hostPort": 80
}
],
"memory": 500,
"cpu": 10
},
{
"environment": [
{
"name": "MYSQL_ROOT_PASSWORD",
"value": ****"password"**** // ITS A SECRET!
}
],
"name": "mysql",
"image": "mysql",
"cpu": 10,
"memory": 500,
"essential": true
}],
"family": "hello_world" }
答案 0 :(得分:1)
显然,有内置的解决方案可以使用aws-scrent-manager机密:
Createhttps://aws.amazon.com/premiumsupport/knowledge-center/ecs-data-security-container-task/
答案 1 :(得分:1)
另一种解决方案是使用sed插入您的秘密
所以您的工作流程就变成了-
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Add secrets to Task Definition
run: |
sed -i "s/<jwt_secret>/$JWT_SECRET/g" task.json
sed -i "s/<mongo_password>/$MONGO_PASSWORD/g" task.json
env:
JWT_SECRET: ${{secrets.JWT_SECRET}}
MONGO_PASSWORD: ${{secrets.MONGO_PASSWORD}}
然后您将您的任务编辑到task.json以包含sed将用于替换的占位符
{
"ipcMode": null,
"executionRoleArn": null,
"containerDefinitions": [
{
...
"environment": [
{
"name": "JWT_SECRET",
"value": "<jwt_secret>"
},
{
"name": "MONGO_PASSWORD",
"value": "<mongo_password>"
},
]
...
}
]
}
答案 2 :(得分:0)
所有存储库都有一个存储其秘密的位置,请参见creating and using encrypted secrets。至于编辑.json,预安装的jq在这里似乎是一个显而易见的选择,或者,如果您更熟悉powershell(请记住调整-Depth),也许是ng-options。