Skip to main content

2 posts tagged with "aws"

View All Tags

AWS ECS execute-command vs Kubernetes kubectl

The ability to run commands inside a running ECS task was one of the most requested features of the ECS service. Yet, AWS released a pretty bad implementation if we compare it to alternatives like Kubernetes.

Some of the key problems:

1. AWS ECS execute-command requires installing a ssm manager in the host instance.#

For each kind of environment you need to understand how to install this:

  • If it's on a managed EC2 instance, you need to install for yourself
  • If the instance is managed by ECS, you need to look up for an attribute to configure this
  • To exemplify how this is bad, you have a script to check if it's configured properly

2. aws ecs execute-command doesn't propagate the exit code properly#

All unix tools that fits in this category does that (kubectl exec, ssh, docker, etc). This is add more complexity to how we interact with the CLI. Particularly for building automations on top of it. An error in the remote execution returns as success to the the calling process. The execution only fails if the aws ecs execute-command fails to run.

3. AWS ECS doesn't use -- to separate flag/arguments commands properly#

You can't provide commands as a argument list instead of a bare string, which prevents a user to uses subprocess commands like |, ;.

Alternatives#

If we look at Kuberentes' kubectl, none of these problems exist. The implementation

kubectl exec follows basic unix principles more properly:

  • It propagates the exit-code, like every other tool in this category
  • Does not require any dependency to execute commands remotely in the container
  • Use -- to separate flag/arguments commands

The same is true for ssh, docker, and others. Let's hope AWS catches up with these features soon.

Append keys to existing Secret in AWS Secrets Manager

The AWS update-secret operation for Secrets Manager replaces all keys of a secret with the new value provided in the --secret-string.

But sometimes we want to add a few extra keys, without replacing values already present in a secret.

In this post we show how to use bash to add keys to a secret without replacing existing values.

What you need#

  • jq installed

1. Prepare the list of secrets you want to add the new keys#

This command generates a file named all-secrets. Run the command and update the file to reflect the list of secrets you want to add the new keys.

# Create `all-secrets` file
aws secretsmanager list-secrets | jq .SecretList | jq '.[]' | jq -r .ARN > all-secrets

Keep only the the secrets you want to add the new keys in the generated all-secrets file

2. Store the new keys in a json file named new-keys.json#

echo '
{
"AWS_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE"
"AWS_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}' > new-keys.json

3. Run the script#

The script uses the all-secrets and new-keys.json files created in steps 1 and 2.

while read line; do
aws secretsmanager get-secret-value \
--secret-id $line | \
jq -c '.SecretString | fromjson' > current-keys.json
jq -s '.[0] * .[1]' current-keys.json new-keys.json > merge.json
aws secretsmanager update-secret --secret-id $line --secret-string file://merge.json > updated
done <all-secrets

For each line in the all-secrets file, the script:#

  • Gets current secret value and save to current-keys.json file
  • Merges current-keys.soj and new-keys.json into merge.json
  • Updates the secret value with the merge.json file contents as the secret-string