amazon-web-services - 从 aws ecs 任务定义中剥离的秘密
问题描述
我正在使用 github 操作将 ecs 任务定义部署到我的集群。我遇到了这个奇怪的问题,其中任务定义中的秘密被剥离了。我不确定发生了什么,或者问题是否在 ecs 或 github 端,但我假设它在 ECS 端,因为当我通过仪表板手动创建新任务定义或修订并使用 JSON 选项时,我在任务定义中包含了秘密,它们被剥离了。然后,我必须通过 UI 进入容器并手动添加所有秘密,这似乎可行。
通过 UI 中的 JSON 选项创建任务定义时,是否有一项功能可以去除定义中的秘密?如果是这样,有没有办法让这种情况停止发生?下面是我使用参数存储的任务定义示例:
{
"ipcMode": null,
"executionRoleArn": "myrole",
"containerDefinitions": [
{
"dnsSearchDomains": null,
"logConfiguration": {
"logDriver": "awslogs",
"secretOptions": null,
"options": {
"awslogs-group": "mylogGroup",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "ecs"
}
},
"entryPoint": null,
"portMappings": [
{
"hostPort": 80,
"protocol": "tcp",
"containerPort": 80
},
{
"hostPort": 443,
"protocol": "tcp",
"containerPort": 443
}
],
"secrets": [
{
"name": "myParamName",
"valueFrom": "arn:aws:ssm:us-east-1:<myId>:parameter/pathToMyParam"
},
{
"name": "myOtherParamName",
"valueFrom": "arn:aws:ssm:us-east-1:<myId>:parameter/pathToMyOtherParam"
}
],
"command": null,
"linuxParameters": null,
"cpu": 0,
"resourceRequirements": null,
"ulimits": null,
"dnsServers": null,
"mountPoints": [],
"workingDirectory": null,
"secrets": null,
"dockerSecurityOptions": null,
"memory": null,
"memoryReservation": null,
"volumesFrom": [],
"stopTimeout": null,
"image": "<myImagePath>",
"startTimeout": null,
"firelensConfiguration": null,
"dependsOn": null,
"disableNetworking": null,
"interactive": null,
"healthCheck": null,
"essential": true,
"links": null,
"hostname": null,
"extraHosts": null,
"pseudoTerminal": null,
"user": null,
"readonlyRootFilesystem": null,
"dockerLabels": null,
"systemControls": null,
"privileged": null,
"name": "myContainer"
}
],
"placementConstraints": [],
"memory": "1024",
"taskRoleArn": "<myRolePath>",
"family": "myTask",
"pidMode": null,
"requiresCompatibilities": ["FARGATE"],
"networkMode": "awsvpc",
"cpu": "512",
"inferenceAccelerators": null,
"proxyConfiguration": null,
"volumes": []
}
解决方案
推荐阅读
- java - 如何将文件字符串格式化为点路径
- java - IntelliJ - 在一个包含许多方法的类中查看 *single* 方法
- triggers - TRIGGER 语法错误 mysql 说 #1303 - 无法从另一个存储的例程中创建触发器 - phpmyadmin
- python - 加快python中插值函数的积分
- angular - 将两个动态变量合并为一个以输出单个结果 - 打字稿
- ios - 移动应用发布(Google Play / App Store)
- javascript - 在 JavaScript 中选择一个节点项
- javascript - 不再支持three.js Spotlight.map TextureLoader?
- python - df.head() 和 df.head 有什么区别?
- firebase - 如何为群组消息应用设置 Firebase 数据库规则