Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Batch] Add "Secrets" properties in interface JobDefinitionContainer #10976

Closed
2 tasks
Cloudrage opened this issue Oct 20, 2020 · 6 comments · Fixed by #20871
Closed
2 tasks

[Batch] Add "Secrets" properties in interface JobDefinitionContainer #10976

Cloudrage opened this issue Oct 20, 2020 · 6 comments · Fixed by #20871
Labels
@aws-cdk/aws-batch Related to AWS Batch effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1

Comments

@Cloudrage
Copy link

Use Case

Need to pass Secrets to a Batch Job with CDK Batch Construct.
Not available yet :
https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-batch.JobDefinitionContainer.html

Proposed Solution

Like with CloudFormation, it'll be interesting to add "Secrets" propertie to the CDK Batch Construct :
https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-batch.CfnJobDefinition.ContainerPropertiesProperty.html#secrets

Other

https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-batch.CfnJobDefinition.SecretProperty.html

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@Cloudrage Cloudrage added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Oct 20, 2020
@github-actions github-actions bot added the @aws-cdk/aws-batch Related to AWS Batch label Oct 20, 2020
@iliapolo iliapolo added effort/medium Medium work item – several days of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Oct 20, 2020
@iliapolo
Copy link
Contributor

@Cloudrage Thanks for this. Added.

Just making sure you are aware of escape hatches to unblock yourself in the meantime.

@Cloudrage
Copy link
Author

Yep, it's what I'm doing when pasting links about that workaround previously; thanks !

Also, maybe think about an "addSecrets" Method for the Batch Job.

@daniel-j-h
Copy link

The workaround I came up with looks something like this

// Secrets are not yet supported in the high-level JobDefinition
//  - https://github.com/aws/aws-cdk/issues/10976
//  - https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-batch.CfnJobDefinition.ContainerPropertiesProperty.html#secrets
const cfnJobDef = jobDef.node.defaultChild as CfnJobDefinition;
const cfnContainerProps = cfnJobDef.containerProperties as CfnJobDefinition.ContainerPropertiesProperty;

(cfnContainerProps as any).secrets = [  // cast to any needed because .secrets property is readonly
  { name: "MY_SECRET", valueFrom: mySecretArn },
];

in case folks are stumbling over this issue.

@iliapolo iliapolo removed their assignment Jun 27, 2021
@hughack
Copy link

hughack commented Feb 4, 2022
edited
Loading

For anyone else struggling to figure it out, the equivalent for Python is:

my_job_definition.node.default_child.add_property_override("ContainerProperties.Secrets", [
    {
        "Name": "SOME_ENV_VAR",
        "ValueFrom": f"{my_secret.secret_arn}:some_key::"
    }
])

In my case my_secret obtained using:

my_secret = secrets_manager.Secret.from_secret_name_v2(
    self,
    "MySecret",
    "secret-name-in-secret-manager"
)

And the secret itself being a json object, where i only want some_key to be used in SOME_ENV_VAR.

@AndreyMarchuk
Copy link

JobDefinitionContainer would require defined execution_role when using Secrets Manager

Python

  1. Create execution role
batch_execution_role = iam.Role(self, "batchExecRole", 
                assumed_by=iam.ServicePrincipal('ecs-tasks.amazonaws.com'), 
                managed_policies=[iam.ManagedPolicy.from_aws_managed_policy_name('service-role/AmazonECSTaskExecutionRolePolicy')])

  1. Set on execution_role=batch_execution_role on JobDefinitionContainer level

  2. Grant secret read permissions

my_secret.grant_read(batch_execution_role)

@yoshizawa56 yoshizawa56 mentioned this issue Mar 22, 2022
Closed
@yoshizawa56 yoshizawa56 mentioned this issue Jun 25, 2022
Merged
4 tasks
@mergify mergify bot closed this as completed in #20871 Jul 5, 2022
mergify bot pushed a commit that referenced this issue Jul 5, 2022
@yoshizawa56
feat(batch): add secrets props to job definition (#20871)
9b1051f 
Add a secrets property to batch.JobDefinitionContainer. This interface is almost the same as ecs.ContainerDefinitionOptions.

This is reopen PR of #19506

closes #10976

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

github-actions bot commented Jul 5, 2022

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

daschaa pushed a commit to daschaa/aws-cdk that referenced this issue Jul 9, 2022
@yoshizawa56 @daschaa
feat(batch): add secrets props to job definition (aws#20871)
3c26443 
Add a secrets property to batch.JobDefinitionContainer. This interface is almost the same as ecs.ContainerDefinitionOptions.

This is reopen PR of aws#19506

closes aws#10976

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-batch Related to AWS Batch effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
No milestone
5 participants
@daniel-j-h @iliapolo @AndreyMarchuk @Cloudrage @hughack