support Rancher secrets for AWS credentials

[wjimenez5271]

More secure alternative to passing the AWS credentials into the services as environment variables.

[ebobwright]

Can you change the base docker image to something that will allow _FILE syntax on environment variables?

[wjimenez5271]

@ebobwright I'm not familiar with this syntax, can you elaborate?

[cloudnautique]

In the entrypoint you read the content of the files to set variables: https://github.com/docker-library/mysql/blob/e207dbbdfd5c95e4b51bdc2dae62c5f72a1dd908/8.0/docker-entrypoint.sh#L21 It was setup by Docker.

If they are passed as Rancher secrets though, you could use giddyup to override the entrypoint and read all the secrets and create env vars.

[ebobwright]

It is described here: http://rancher.com/docs/rancher/latest/en/cattle/secrets/ under the section "DOCKER HUB IMAGES"

I've seen other images utilize this as well, such as the mysql docker image: https://hub.docker.com/_/mysql/

It is implemented in their entrypoint script: https://github.com/docker-library/mysql/blob/master/8.0/docker-entrypoint.sh

Then we could create rancher secrets with our AWS key and secret and add env variables like this: environment: AUTO_CREATE: 'true' AWS_ACCESS_KEY_ID_FILE: /run/secrets/aws-ecr-accesskey AWS_REGION: us-west-2 AWS_SECRET_ACCESS_KEY_FILE: /run/secrets/aws-ecr-secretkey LOG_LEVEL: INFO

[ebobwright]

Sorry for dragging this back up. I don't think you need to make any changes. https://docs.aws.amazon.com/cli/latest/userguide/cli-environment.html I was able to get this working using AWS_SHARED_CREDENTIALS_FILE

[cloudnautique]

Cool, did you just creat a secret with the file contents?

[ebobwright]

Yes, exactly. I used a secret formatted like this: [default] aws_access_key_id = ACCESS_KEY aws_secret_access_key = SECRET_KEY

Then I set the value of AWS_SHARED_CREDENTIALS_FILE to /run/secrets/my-secret-name