Action seems to be stripping secrets from ECS task definition

I have a Action that I’m using to build a AWS ECS task definition and deploy it to my cluster. I’m having a problem, though, as the secrets seem to be getting stripped from the task definition before deploying to ECS for some reason? I’m using AWS param store. This is my task definition:

{
  "ipcMode": null,
  "executionRoleArn": "myrole",
  "containerDefinitions": [
    {
      "dnsSearchDomains": null,
      "logConfiguration": {
        "logDriver": "awslogs",
        "secretOptions": null,
        "options": {
          "awslogs-group": "mylogGroup",
          "awslogs-region": "us-east-1",
          "awslogs-stream-prefix": "ecs"
        }
      },	        
      "entryPoint": null,
      "portMappings": [
        {
          "hostPort": 80,
          "protocol": "tcp",
          "containerPort": 80
        },
		{
			"hostPort": 443,
			"protocol": "tcp",
			"containerPort": 443
		}
      ],
	  "secrets": [
        {
          "name": "myParamName",
          "valueFrom": "arn:aws:ssm:us-east-1:<myId>:parameter/pathToMyParam"
        },
		{
          "name": "myOtherParamName",
          "valueFrom": "arn:aws:ssm:us-east-1:<myId>:parameter/pathToMyOtherParam"
        }
      ],
      "command": null,
      "linuxParameters": null,
      "cpu": 0,
      "resourceRequirements": null,
      "ulimits": null,
      "dnsServers": null,
      "mountPoints": [],
      "workingDirectory": null,
      "secrets": null,
      "dockerSecurityOptions": null,
      "memory": null,
      "memoryReservation": null,
      "volumesFrom": [],
      "stopTimeout": null,
      "image": "<myImagePath>",
      "startTimeout": null,
      "firelensConfiguration": null,
      "dependsOn": null,
      "disableNetworking": null,
      "interactive": null,
      "healthCheck": null,
      "essential": true,
      "links": null,
      "hostname": null,
      "extraHosts": null,
      "pseudoTerminal": null,
      "user": null,
      "readonlyRootFilesystem": null,
      "dockerLabels": null,
      "systemControls": null,
      "privileged": null,
      "name": "myContainer"
    }
  ],
  "placementConstraints": [],
  "memory": "1024",
  "taskRoleArn": "<myRolePath>",  
  "family": "myTask",
  "pidMode": null,
  "requiresCompatibilities": [
    "FARGATE"
  ],
  "networkMode": "awsvpc",
  "cpu": "512",    
  "inferenceAccelerators": null,
  "proxyConfiguration": null,
  "volumes":  []
}

so that gets deployed to ECS, however, the secrets are always stripped out. I know this definition works as I can create the same thing manually with those secrets via the AWS dashboard and it works fine. What could be the issue?

@johnbarberef,

What do you mean about “strip secrets from ESC task definition”?
If possible, please share your repository to show an example about this problem, so that we can check more detailed configurations related to the workflow to analyze the root cause.

When the new revision of the task definition is created in ECS, the secrets in the definitions are no longer there. So in the aws dashboard, if you click on the task definition and view the JSON tab, they are gone. If i try to run the new task definition, my app throws saying the variables can’t be found.

But, looking into this further, it seems to be a problem on the ECS side rather than the github side, so I’m sure this is the wrong place for this.

@johnbarberef,

Okay. Thanks for your response.

If you need help with anything related to workflow configuration, such as syntax, GitHub-hosted runners, or building actions, feel free to contact us.