[solved] Secrets not populating into peloton/drone-ecs

Drone Support
1

Whether defined as secrets in the drone repo settings, or via amazon secrets, no secrets are able to be populated into my ECS config.

I have verified that the aws secrets are accessible via cli, so this really points to either secrets not being passed to plugins as the docs state, or an issue with the plugin itself, but whether specified as $MY_SECRET $$MY_SECRET ${MY_SECRET} $${MY_SECRET} as part of the environment_variables array, or as it appears is the preferred method, via the secret_environment_variables array, keys show up in the task definition, but no values.

.drone.yml

kind: pipeline                                                                          
name: staging-backend                                                                   
                                                                                        
workspace:                                                                              
  base: /home                                                                           
  path: app                                                                             
                                                                                        
trigger:                                                                                
  branch:                                                                               
    - master                                                                            
  event:                                                                                
    - push                                                                              
                                                                                        
steps:                                                                              
  - name: Deploy to ECS                                                                 
    image: peloton/drone-ecs                                                            
    settings:                                                                           
      region: us-east-1                                                                 
      family: ui-backend-dev                                                            
      service: ui-backend-dev                                                           
      cluster: ui-backend-dev                                                           
      container_name: ui-backend-dev                                                    
      tag: latest                                                                       
      task_role_arn: arn:aws:iam::xxx:role/ecsTaskExecutionRole                
      task_execution_role_arn: arn:aws:iam::xxx:role/ecsTaskExecutionRole      
      service_network_subnets:                                                          
        - subnet-xxx                                                      
        - subnet-yyy                                                      
      service_network_security_groups:                                                  
        - sg-xxx                                                          
      log_driver: awslogs                                                               
      log_options:                                                                      
        - awslogs-group=/ecs/ui-backend-dev                                             
        - awslogs-region=us-east-1                                                      
        - awslogs-stream-prefix=ecs                                                     
      task_network_mode: awsvpc                                                         
      port_mappings:                                                                    
        - 3333 3333                                                                     
      compatibilities: EC2 FARGATE                                                      
      memory: 2048                                                                      
      cpu: 1024                                                                         
      task_memory: 2048                                                                 
      task_cpu: 1024                                                                    
      desired_count: 2                                                                  
      deployment_configuration: 100 200                                                 
      docker_image: xxx.dkr.ecr.us-east-1.amazonaws.com/ui-backend-dev         
      secrets: [AWS_SECRET_KEY, AWS_ACCESS_KEY]                                         
      secret_environment_variables:                                                     
        - NODE_ENV=STG_NODE_ENV      
        - APP_URL=STG_APP_URL                                                   
        - APP_KEY=STG_APP_KEY


---
kind: secret
name: STG_NODE_ENV
get:
  path: xxx/staging
  name: NODE_ENV

---
kind: secret
name: STG_APP_URL
get:
  path: xxx/staging
  name: APP_URL

---
kind: secret
name: STG_APP_KEY
get:
  path: xxx/staging
  name: APP_KEY

SOLUTION:

In order to have the secrets available to inject, they have to be pulled into the environment from secrets using new 1.0 syntax.

ie:

environment:
  STG_NODE_ENV:
    from_secret: STG_NODE_ENV

This then allows the secret_environment_variables config to work.