Secrets Management


The built in access to KMS and SSM make it possible to store application variables inside SSM. KMS is used to encrypt or decrypt the variables stored inside SSM.

Chamber can be used inside Docker to retrieve the values from SSM and expose them as ENV vars to the application

A modified CMD inside a Dockerfile which would normally runs will now first run chamber. And Chamber will exec and replace it's own PID doing so.

FROM example
CMD exec chamber exec application/servicename --

Creating secrets for chamber

Outside of the ECS Module you can create the secrets stored inside SSM.

resource "aws_ssm_parameter" "environment" {
  name   = "/application/servicename/environment"
  type   = "SecureString"
  key_id = "ARN of the KMS"
  value  = "production"