feat(ecs): task role credentials + secrets injection#728
Merged
vieiralucas merged 1 commit intomainfrom Apr 24, 2026
Merged
Conversation
Batch 3 of the ECR+ECS tightening pass. Closes the last two deferred
ECS runtime integrations so containers running under fakecloud behave
exactly like they would against real AWS — credential vending via
`AWS_CONTAINER_CREDENTIALS_FULL_URI`, and `secrets[]` resolution from
SecretsManager + SSM Parameter Store.
- `EcsRuntime` gains `with_secretsmanager` / `with_ssm` builder
methods. Wired via the server alongside the Batch 2 EventBridge +
CloudWatch-Logs plumbing.
- Before `docker run`, the runtime walks the container's `secrets[]`
field and resolves each `valueFrom` ARN against the corresponding
in-process state:
- `arn:aws:secretsmanager:...:secret:<name>-<6>` -> current-version
`secret_string` on the matching `Secret`. The AWS-generated 6-char
suffix is stripped during the lookup.
- `arn:aws:ssm:...:parameter/<name>` -> `value` on the matching
`SsmParameter`.
Resolved values go in as env vars. A missing secret/parameter fails
the task with `stopCode=TaskFailedToStart`, matching real ECS.
- When the task registers a `taskRoleArn`, the runtime injects
`AWS_CONTAINER_CREDENTIALS_FULL_URI=http://host.docker.internal:<port>
/_fakecloud/ecs/creds/<task-id>`. The server exposes that new route
returning IMDS-format JSON
(`{AccessKeyId, SecretAccessKey, Token, Expiration, RoleArn}`). AWS
SDKs discover it via the default provider chain, so
`aws sts get-caller-identity` etc. work out of the box from inside
the container.
- Four new E2E tests under `ecs_task_role_secrets.rs`:
1. `task_role_credentials_are_served` — asserts env-var injection
+ probes the credential endpoint directly for IMDS shape.
2. `resolves_secretsmanager_secret` — runs a task, asserts the
captured stdout contains the secret value.
3. `resolves_ssm_parameter` — same, via SSM.
4. `missing_secret_fails_fast` — missing secret -> TaskFailedToStart.
- ECS docs updated with the credential-endpoint JSON shape and the
secrets[] example.
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Batch 3 of the ECR+ECS tightening pass. Closes the last two deferred ECS runtime integrations:
taskRoleArngetAWS_CONTAINER_CREDENTIALS_FULL_URIinjected and a new/_fakecloud/ecs/creds/:task_idendpoint vends IMDS-format creds. AWS SDKs discover it via the default provider chain, soaws sts get-caller-identityworks from inside the container with zero container-side setup.secrets[]entries with SecretsManager or SSM parameter ARNs resolve synchronously beforedocker runand land as env vars. Missing refs ->TaskFailedToStart.EcsRuntime::with_secretsmanager/with_ssm. Unwired runtime behaviour is unchanged (test ergonomics).Test plan
cargo test -p fakecloud-e2e --test ecs_task_role_secrets— all four E2E tests passcargo test -p fakecloud-ecs -p fakecloud-core -p fakecloud-lambda -p fakecloud-ecr— unit tests greencargo clippy --workspace --all-targets -- -D warnings— cleancargo fmt --all -- --check— cleanSummary by cubic
Add ECS task-role credentials and secrets injection so containers can use AWS SDKs out of the box and get env vars from Secrets Manager and SSM. Tasks without required secrets now fail fast with TaskFailedToStart.
AWS_CONTAINER_CREDENTIALS_FULL_URIfor tasks withtaskRoleArn;/_fakecloud/ecs/creds/{task_id}serves IMDS-format creds soaws sts get-caller-identityworks inside the container.containerDefinitions[].secrets[]from Secrets Manager and SSM beforedocker run; missing refs ->stopCode=TaskFailedToStart.EcsRuntime:with_secretsmanagerandwith_ssm; server wires them alongside logs and EventBridge.secrets[]example; 4 new E2E tests cover creds, Secrets Manager, SSM, and missing-secret failure.Written for commit ad2683b. Summary will update on new commits.