[+] Install SessonManager on local machine, alternatively you can use AWS CloudShell. [+] IAM permissions required for ECS Exec, see[2].
export cluster_name=**
export private_subnet_one=**
export private_subnet_two=**
export container_security_group=**
export task_def_file=**, refer to [3].
export container_name=**
export aws_region=$(aws configure get region)
task_def=$(aws ecs register-task-definition --cli-input-json file://${task_def_file} --query 'taskDefinition.taskDefinitionArn' --output text)
task_arn=$(aws ecs run-task --cluster ${cluster_name} --task-definition ${task_def} \
--network-configuration "awsvpcConfiguration={subnets=[${private_subnet_one},${private_subnet_two}],securityGroups=[${container_security_group}],assignPublicIp=DISABLED}" \
--enable-execute-command --launch-type FARGATE --query 'tasks[0].taskArn' --output text)
task_arn=$(aws ecs run-task --cluster ${cluster_name} --task-definition ${task_def} \
--enable-execute-command --launch-type FARGATE --query 'tasks[0].taskArn' --output text)
cat <<EOF> overrides.json
{
"containerOverrides": [
{
"name": "${container_name}",
"command": ["/bin/sh", "-c", "while true; do echo Running; sleep 60; done;"]
}
]
}
EOF
task_arn=$(aws ecs run-task --cluster ${cluster_name} --task-definition ${task_def} --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=[${private_subnet_one},${private_subnet_two}],securityGroups=[${container_security_group}],assignPublicIp=DISABLED}" --overrides file://overrides.json --enable-execute-command --query 'tasks[].taskArn' --output text)
task_arn=$(aws ecs run-task --cluster ${cluster_name} --task-definition ${task_def} --launch-type EC2 --overrides file://overrides.json --enable-execute-command --query 'tasks[].taskArn' --output text)
aws ecs describe-tasks --cluster api --tasks ${task_arn} | grep -Ei 'enableExecuteCommand|status'
Run the check-ecs-exec.sh script. It allows you to check and validate both your CLI environment and ECS cluster/task are ready for ECS Exec, see[4].
aws ecs execute-command --cluster ${cluster_name} --task ${task_arn} --container ${container_name} --command "/bin/sh" --interactive
[1] - https://aws.amazon.com/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/
[2] - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html#ecs-exec-required-iam-permissions
[3] -
Example nginx task definition:
cat <<EOF> task_def_file.json
{
"family": "ecs-exec-example-fargate",
"networkMode": "awsvpc",
"containerDefinitions": [
{
"name": "ecs-exec-example",
"image": "httpd:2.4",
"portMappings": [
{
"containerPort": 80,
"hostPort": 80,
"protocol": "tcp"
}
],
"essential": true,
"entryPoint": [
"sh",
"-c"
],
"command": [
"/bin/sh -c \"echo '<html> <head> <title>Updated Service</title> <style>body {margin-top: 40px; background-color: #333;} </style> </head><body> <div style=color:white;text-align:center> <h1>Amazon ECS Sample App</h1> <h2>Congratulations!</h2> <p>Your application is now running on a container in Amazon ECS.</p> </div></body></html>' > /usr/local/apache2/htdocs/index.html && httpd-foreground\""
]
}
],
"requiresCompatibilities": [
"FARGATE"
],
"cpu": "256",
"memory": "512",
"taskRoleArn": "arn:aws:iam::${aws_region}:role/ecsTaskExecutionRole",
"executionRoleArn": "arn:aws:iam::${aws_region}:role/ecsTaskExecutionRole"
}
[4] - https://github.com/aws-containers/amazon-ecs-exec-checker