How To Exec (SSH) into ECS Fargate

--

ECS Exec in action via the AWS CDK workflow with Your Container

You can communicate with containers directly via Amazon ECS Exec without having to handle SSH keys, open incoming ports, or communicate with the host container operating system. To perform commands in or access a shell for a container running on an Amazon EC2 instance or on an AWS Fargate, utilize ECS Exec. This facilitates gathering diagnostic data and enables rapid error troubleshooting. For instance, you can utilize ECS Exec in a development environment to quickly interact with different processes in your containers and troubleshoot your apps. Additionally, you can use it in production settings to unlock your containers’ break-glass doors so you can troubleshoot problems.

Prerequisites for using ECS Exec on your own system:-

  • Install and configure the AWS CLI. For more information, see AWS CLI.
  • ECS Exec has version requirements depending on whether your tasks are hosted on Amazon EC2 or AWS Fargate
  • Install the Session Manager plugin for the AWS CLI. For more information, see Install the Session Manager plugin for the AWS CLI.

But rather than using your own system, I would suggest using a cloud shell. as you won't have to install all these plugins.

Enabling ECS Exec

The below cdk script will create a new cluster, service, and task.

In this script I have provided:-

  • IAM permissions required for ECS Exec
  • Task definition changes
  • Logging and Auditing using ECS Exe
  • Enabling ECS Exec for your tasks and services

Verify using the Amazon ECS Exec Checker

For checking that we have configured everything correctly we would use an open-source script called amazon-ecs-exec-checker.

Prerequisites for using this command are that you should have installed jq on your system. I would suggest using Cloudshell to run this script.

bash <( curl -Ls https://raw.githubusercontent.com/aws-containers/amazon-ecs-exec-checker/main/check-ecs-exec.sh ) <YOUR_ECS_CLUSTER_NAME> <YOUR_ECS_TASK_ID>

if everything is configured correctly everything would be green or yellow.

Run The Execute Command

Let’s SSH into the container’s shell now with the below command:

aws ecs execute-command  \
--region <YOUR_REGION>\
--cluster <YOUR_ECS_CLUSTER_NAME> \
--task <YOUR_ECS_TASK_ID> \
--container <YOUR_CONTAINER_NAME>\
--command "/bin/bash" \
--interactive

Error when calling execute-command

These are potential causes of the error “The execute command failed.”

The job lacks the necessary permissions. Make that the task IAM role is defined in the task description used to launch your job and that the role has the necessary permissions. Check IAM permissions necessary for ECS Exec for further details.

The SSM agent is either not operating or not installed.

For Amazon ECS, there is an interface Amazon VPC endpoint, but not for the Systems Manager Session Manager.

Resources

--

--

THE HOW TO BLOG |Siddhanth Dwivedi
THE HOW TO BLOG |Siddhanth Dwivedi

Written by THE HOW TO BLOG |Siddhanth Dwivedi

Siddhanth Dwivedi | Senior Security Engineer & AWS Community Builder 👨🏾‍💻

No responses yet