# ask-community


09/01/2022, 8:10 AM
Hi all, I have a question regarding secrets for AWS ECS run_launcher. I have some secrets stored in external AWS account (not same as the account hosting ECS), and I set them in the ECS task definition for Dagster daemon, like
Copy code
  "Name": "MY_API_KEY",
  "ValueFrom": "${MY_SECRET_ARN}"
These secret ARNs are different between our dev/staging/prod env. That
is populated by Terraform during our CD process. The daemon will then pass that info down to the worker ECS task. My run_launcher config is simple like this
Copy code
  module: dagster_aws.ecs
  class: EcsRunLauncher
    include_sidecars: true
    secrets_tag: "data-dagster-env-var"
All was working fine until I started having secrets in my account, which tagged with the tag key `data-dagster-env-var`: the worker ECS task now configured with the local secrets only (the one with that specified tag), no more secrets copied from the daemon task definition. We'll be having many local secrets, so configuring them all in the daemon task definition is not practical. The other option is to have both
in the run_launcher configuration, but this means I'll need to have different
file / docker images for different environments (dev/staging/prod). Is there any option to have combined secrets list: from the daemon and from that
Or, is there any option to have a parameterised
, which will be populated during daemon/dagit startup time?
Thanks. ======== edited ========== I found the guide for using env vars in
. Also, I had a quick look at the source code of that ECS run_launcher, and could see that the list of secrets is built from scratch. However, I don't understand how the env vars and secrets are initially copied from the daemon - couldn't find that in the code. One thing I want to change is to separate the aws_logs_group used for the daemon from the one used for the jobs/tasks.