Configure ECS Task Definition with CredentialSpec

After you have created the credential spec file, you will reference it in your ECS task definition. Keeping the gMSA metadata in a credential spec file (separate from the Dockerfile) gives you the ability to change the gMSA used by your application in the future without the need for code changes in the application.

Amazon ECS supports the following ways to reference the credential spec file in the dockerSecurityOptions field of a task definition. For more information and example task definitions, refer to the Amazon ECS documentation.

Add the credential spec to an Amazon S3 bucket, then reference the ARN of the Amazon S3 bucket in the dockerSecurityOptions field of the task definition. Your Amazon ECS task execution role must have the s3:Get* and s3:List* permissions on your S3 bucket and the credential spec object.



{
    "family": "",
    "executionRoleArn": "",
    "containerDefinitions": [
        {
            "name": "",
            ...
            "dockerSecurityOptions": [
                "credentialspec:arn:aws:s3:::${BucketName}/${ObjectName}"
            ],
            ...
        }
    ],
    ...
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create the CredentialSpec file

Using a load balancer with Windows Authentication