Establishing Dynamic Connection with AWS Redshift in AWS ECS using Rotational Password stored in AWS SSM Parameter

Original Slack Thread

Hi <#CV2UVAPPG|all-things-deployment>, I have hosted the datahub in AWS ECS and trying to establish the connection with AWS Redshift. But the redshift user password is rotational and will be stored in AWS SSM parameter. So, the password must get dynamically from AWS SSM parameter.
Could you please provide any solution for this?
My current datahub version is : v0.10.1 and working on update to :v0.12.1 (solution required in any of the versions)

You should be able to inject SSM secrets into ECS environment variables: https://docs.aws.amazon.com/AmazonECS/latest/userguide/secrets-envvar-ssm-paramstore.html#secrets-envvar-ssm-paramstore-update-container-definition

Hi <@U0667UL20SD> these secrets do not cause a restart when rotated - check out the considerations on the page you linked:

Sensitive data is injected into your container when the container is initially started. If the secret is subsequently updated or rotated, the container will not receive the updated value automatically. You must either launch a new task or if your task is part of a service you can update the service and use the Force new deployment option to force the service to launch a fresh task.
There is some plumbing needed to restart the task based on a secret rotation event. I would recommend looking at Cloudtrail events and EventBridge if you require an automated solution

https://docs.aws.amazon.com/secretsmanager/latest/userguide/monitoring.html