Storing Amazon ECS container instance configuration in Amazon S3 - Amazon Elastic Container Service

Storing Amazon ECS container instance configuration in Amazon S3

Amazon ECS container agent configuration is controlled with the environment variable. Linux variants of the Amazon ECS-optimized AMI look for these variables in /etc/ecs/ecs.config when the container agent starts and configure the agent accordingly. Certain innocuous environment variables, such as ECS_CLUSTER, can be passed to the container instance at launch through Amazon EC2 user data and written to this file without consequence. However, other sensitive information, such as your AWS credentials or the ECS_ENGINE_AUTH_DATA variable, should never be passed to an instance in user data or written to /etc/ecs/ecs.config in a way that would allow them to show up in a .bash_history file.

Storing configuration information in a private bucket in Amazon S3 and granting read-only access to your container instance IAM role is a secure and convenient way to allow container instance configuration at launch. You can store a copy of your ecs.config file in a private bucket. You can then use Amazon EC2 user data to install the AWS CLI and copy your configuration information to /etc/ecs/ecs.config when the instance launches.

To store an ecs.config file in Amazon S3
  1. You must grant the container instance role (ecsInstanceRole) permissions to have read only access to Amazon S3. You can do this by assigning the AmazonS3ReadOnlyAccess to the ecsInstanceRole role. For information about how to attach a policy to a role, see Modifying a role permissions policy (console) in the AWS Identity and Access Management User Guide

  2. Create an ecs.config file with valid Amazon ECS agent configuration variables using the following format. This example configures private registry authentication. For more information, see Using non-AWS container images in Amazon ECS.

    ECS_ENGINE_AUTH_TYPE=dockercfg ECS_ENGINE_AUTH_DATA={"https://index.docker.io/v1/":{"auth":"zq212MzEXAMPLE7o6T25Dk0i","email":"email@example.com"}}
    Note

    For a full list of available Amazon ECS agent configuration variables, see Amazon ECS Container Agent on GitHub.

  3. To store your configuration file, create a private bucket in Amazon S3. For more information, see Create a Bucket in the Amazon Simple Storage Service User Guide.

  4. Upload the ecs.config file to your S3 bucket. For more information, see Add an Object to a Bucket in the Amazon Simple Storage Service User Guide.

To load an ecs.config file from Amazon S3 at launch
  1. Complete the earlier procedures in this section to allow read-only Amazon S3 access to your container instances and store an ecs.config file in a private S3 bucket.

  2. Launch new container instances and use the following example script in the EC2 User data. The script installs the AWS CLI and copies your configuration file to /etc/ecs/ecs.config. For more information, see Launching an Amazon ECS Linux container instance.

    #!/bin/bash yum install -y aws-cli aws s3 cp s3://your_bucket_name/ecs.config /etc/ecs/ecs.config