Published on: March 5, 2022 by Vinayan C V
Scenario:
ECS Exec makes use of AWS Systems Manager (SSM) Session Manager to establish a connection with the running container and uses AWS Identity and Access Management (IAM) policies to control access to running commands in a running container. ECS Exec is only supported for Linux. containers.
IAM permissions required for ECS Exec
Use the following policy for your task IAM role to add the required SSM permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Sid": "ExecuteCommandSessionManagement",
"Effect": "Allow",
"Action": [
"ssm:DescribeSessions"
],
"Resource": "*"
},
{
"Sid": "ExecuteCommand",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ecs:*:*:task/*",
"arn:aws:ssm:*:*:document/AmazonECS-ExecuteInteractiveCommand"
]
}
]
}
Enabling ECS Exec for your tasks and services
aws ecs update-service –cluster cluster-name –service service-name –region region –enable-execute-command –force-new-deployment
aws –region region ecs describe-tasks –cluster cluster-name –tasks task-id
The following output snippet is an example of what you might see.
{
"tasks": [
{
...
"containers": [
{
...
"managedAgents": [
{
"lastStartedAt": "2021-03-01T14:49:44.574000-06:00",
"name": "ExecuteCommandAgent",
"lastStatus": "RUNNING"
}
]
}
],
...
"enableExecuteCommand": true,
...
}
]
}
Running commands using ECS Exec
After you have confirmed the ExecuteCommandAgent is running, you can open an interactive shell on your container using the following command.
aws –region region ecs execute-command –cluster cluster-name –interactive –task task-id –command /bin/bash
Category : AWS
Add new commentSIGN IN