I have a springboot web application deployed on AWS ECS and using Azure AD authentication to it. I have Azure configuration in the application yml and stored client-secret value in AWS secret manager and referring the secret in the task definition. I have also added required permission to get secret value in the policy.
I assume that the client-secret value in the application yml will have real value when the ecs task definition is executed but when I test the application, I get login/error page but when I hard code the client-secret value in the application, deploy to ECS and test the application. The authentication works.
Application.yml
spring:
cloud:
azure:
active-directory:
enabled: true
profile:
tenant-id: real-tenant-id
credential:
client-id: real-client-id
client-secret: ${CLIENT_SECRET}
Task definition:
resource “aws_ecs_task_defintion” “ecs_task” {
family = ecs-task
execution_role_arn = aws_iam_role.task_iam_role.arn
task_role_arn = aws_iam_role.task_iam_role.arn
requires_compatibilities = [“FARGATE”]
container_defintions =jsonencode([{
name = ecs-container
image = local.image_uri
secrets = [{
name = “CLIENT_SECRET”
valueFrom = secret.arn:CLIENT_SECRET::
}]
}])
}
Looking for some information on why the client-secret value is not injected to the placeholder in application yml during task execution.
I think you can pass value of CLIENT_SECRET using environment section in container_definitions like this