synced/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2025-03-25 14:05:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

continue ecs docs

Browse Source
This commit is contained in:
Maidul Islam
2024-02-08 20:29:38 -05:00
parent 44f087991c
commit 50c0fae557
2 changed files with 76 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/images/guides/agent-with-ecs/ecs-diagram.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 110 KiB

103
docs/integrations/platforms/ecs-with-agent.mdx
View File

@ -3,31 +3,46 @@ title: 'Amazon ECS'
description: "How to deliver secrets to Amazon Elastic Container Service"
---
![title](../../images/k8-diagram.png)
![ecs diagram](/images/guides/agent-with-ecs/ecs-diagram.png)
This guide will go over the steps needed to configure an Amazon Elastic Container Service (ECS) task definition to access secrets stored in Infisical.
At a high level, the steps involve setting up an ECS task with a Infisical Agent sidecar container. This container uses Universal Authentication to communicate with the target Infisical instance for fetching secrets.
Once the secrets/access tokens are retrieved, they are then stored in a shared Amazon Elastic File System (EFS) volume. This volume is then made accessible to your application container and all of its replicas.
At a high level, the steps involve setting up an ECS task with a [Infisical Agent](/) sidecar container. This sidecar container uses Universal Auth to communicate with Infisical to fetch secrets/access tokens.
Once the secrets/access tokens are retrieved, they are then stored in a shared Amazon Elastic File System (EFS) volume. This volume is then made accessible to your application and all of its replicas.
This guide will focus on integrating Infisical Cloud with Amazon ECS on AWS Fargate and Amazon EFS.
However, the principles and steps can be adapted for use with any instance of Infisical (on premise or cloud) and different ECS configurations, such as Amazon ECS on EC2 instances.
This guide primarily focuses on integrating Infisical Cloud with Amazon ECS on AWS Fargate and Amazon EFS.
However, the principles and steps can be adapted for use with any instance of Infisical (on premise or cloud) and different ECS configurations.
## Prerequisites
This guide requires the following prerequisites:
- Infisical instance configured and running
- Infisical account
- Git installed
- Terraform v1.0 or later installed
- Access to AWS credentials
- Understanding of [Infisical Agent](/)
## What we will deploy
For the purpose of this demonstration, we will deploy [File Browser](https://github.com/filebrowser/filebrowser) to our ECS cluster.
This will enable us to easily confirm that the Infisical agent is indeed depositing the credentials into the specified volume accessible to file browser deployed.
Of course, in production the volumes where your secrets reside should never be exposed to the public.
## Configure Authentication with Infisical
In order for the Infisical agent to fetch credentials from Infisical, we'll first need to authenticate with Infisical.
While Infisical supports various authentication methods, this guide focuses on using Universal Auth to authenticate the agent with Infisical.
Follow the documentation to configure and generate a client id and client secret with Universal auth [here](/documentation/platform/identities/universal-auth).
Make sure to save these credentials somewhere handy because you'll need them soon.
## Clone guide assets repository
To help you follow along with ease, please clone the guide assets from this [Github repository](https://github.com/Infisical/infisical-guides.git).
This repository contains assets for all Infisical guides. The content for this guide can be within a sub directory.
Specifically, change your working directory to `aws-ecs-with-agent`.
To help you quickly deploy the example application, please clone the guide assets from this [Github repository](https://github.com/Infisical/infisical-guides.git).
This repository contains assets for all Infisical guides. The content for this guide can be within a sub directory called `aws-ecs-with-agent`.
The guide will assume that `aws-ecs-with-agent` is your working directory going forward.
## Configure AWS credentials
Because we'll be creating AWS recourses through Terraform, you will need to obtain a set of AWS Access Key and Secret Key.
Once you generated these credentials, export them to your terminal.
Because we'll be deploying the example application to AWS via Terraform, you will need to obtain a set of `AWS Access Key` and `Secret Key`.
Once you have generated these credentials, export them to your terminal.
1. Export the AWS Access Key ID:
@ -47,9 +62,55 @@ Once you generated these credentials, export them to your terminal.
export AWS_SESSION_TOKEN=<your AWS session token>
```
## Set up infrastructure
## Deploy example application
Before we can deploy our full application and its related infrastructure with Terraform, we'll need to make a few changes.
Mainly, we'll need to configure our Infisical agent config file.
### Infisical agent configuration
The agent config file defines what authentication method to use when connecting with Infisical along with where the fetched secrets/access tokens should be saved to.
Since the Infisical agent will be deployed as a sidecar, the agent configuration file and any secret template files need to be encoded in base64. This makes it easier to pass them into Terraform.
#### Secret template file
```secrets.template
{{- with secret "62fd92aa8b63973fee23dec7" "dev" "/" }}
{{- range . }}
{{ .Key }}={{ .Value }}
{{- end }}
{{- end }}
```
Next we need encode this template file in `base64` so that it can be consumed by _____.
```bash
cat secrets.template | base64
e3stIHdpdGggc2VjcmV0ICI2MmZkOTJhYThiNjM5NzNmZWUyM2RlYzciICJkZXYiICIvIiB9fQp7ey0gcmFuZ2UgLiB9fQp7eyAuS2V5IH19PXt7IC5WYWx1ZSB9fQp7ey0gZW5kIH19Cnt7LSBlbmQgfX0=
```
#### Agent config file
Finally, we'll define the main agent config. This configuration file
```yaml agent-config.yaml
infisical:
address: "https://app.infisical.com"
exit-after-auth: true
auth:
type: "universal-auth"
config:
remove_client_secret_on_read: false
sinks:
- type: "file"
config:
path: "/infisical-agent/access-token"
templates:
- base64-template-content: e3stIHdpdGggc2VjcmV0ICI2MmZkOTJhYThiNjM5NzNmZWUyM2RlYzciICJkZXYiICIvIiB9fQp7ey0gcmFuZ2UgLiB9fQp7eyAuS2V5IH19PXt7IC5WYWx1ZSB9fQp7ey0gZW5kIH19Cnt7LSBlbmQgfX0=
destination-path: /infisical-agent/.env
```
Before we can deploy a sample service on Amazon ECS to demonstrate how you deliver secrets from Infisical, you must first provision baseline infrastructure components.
The following resources need to be created:
- AWS ECS Cluster with Fargate as launch type
- EFS volume
@ -57,7 +118,7 @@ The following resources need to be created:
Instead of creating these resources one by one, we'll use the Terraform template in the guide folder to provision all resources at once.
1. Change directory to `terraform`
1. Make sure your current directory is set to `aws-ecs-with-agent`. Once there, change your directory to `terraform`
```sh
cd terraform
```
@ -75,16 +136,4 @@ terraform plan
4. Trigger resource creation
```
terraform apply
```
## Configure Authentication with Infisical
In order to communicate with Infisical from our ECS application, we'll need to first authenticate with Infisical.
There are a number of methods to authenticate with Infisical; however, in this guide we'll be using Universal Auth to authenticate.
Follow the documentation to here to configure and generate a client id and client secret with Universal auth here.
Make sure to save these credentials somewhere handy because we'll need them soon.
## Setup sample application
** diagram **
```