Secrets to be fetched by CFN of the Service. "define a config file as a "volume" and mount into the container" is very unusual. Store it in S3, and give your Task's IAM Role permission to fetch it.

> define a config file as a "volume" and mount into the container

That is how kubernetes secrets work so I wouldn't call it unusual

And so do so many container based applications that expect a secrets to be present in a file.

Kubernetes provides an easy-to-use abstraction for the same, which ECS does not.

> which ECS does not.

It actually does. You may, if you wish, have a volume and mount it is ECS tasks [0][1]. The issue above does not seem legit.

[0] https://docs.aws.amazon.com/AmazonECS/latest/developerguide/...

[1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGui...

none of options are easy to use for a secret or a simple configuration file. If I have a configuration file, I can easily mount it with --volume option with docker run. But to get the same on ECS - requires a much more complex setup than what is needed for k8s. Why do I need EFS/EBS volumes? Why doesn't this work well with Secret Manager or Parameter Store?

Yes, k8s is a complex beast - but ECS isn't as clean as it looks.

> Why doesn't this work well with Secret Manager or Parameter Store?

Make a Parameter that reads from Secret Manager or Parameter Store in the Cloudformation template of your ECS Service, and pass the value to TaskDefinition as an environment variable. No need for volumes at all.

> That is how kubernetes secrets work

As I said, try ECS.