How to SSH into an ECS Fargate Task Container
As more organizations adopt serverless and containerized architectures, AWS Fargate has become a popular choice for running containers without the need to manage underlying infrastructure. However, with this abstraction comes the challenge of how to gain direct access to a running container for troubleshooting or maintenance, similar to how you would SSH into an EC2 instance.
Fortunately, AWS provides a powerful solution: SSH-like access to your ECS Fargate task containers using AWS Systems Manager and the ECS Execute Command feature. This blog will guide you through the steps to enable and use this feature, allowing you to interact with your containers directly.
Step 1: Create an IAM Policy
First, create an IAM policy that grants the necessary permissions to create and open control and data channels within AWS Systems Manager's Session Manager. These channels are essential for establishing and maintaining secure sessions between AWS resources and the Systems Manager, enabling administrators to manage instances remotely.
This policy is typically used when you need to allow an IAM role or user to use Session Manager to interact with EC2 instances or other resources that are managed via AWS Systems Manager. By allowing these specific actions, the policy ensures that the session management process can function correctly, providing the necessary communication pathways between the user (or system) and the managed instance.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
}
]
}
Step 2: Create a Role with the Above Policy and Trust Relationship
Next, create an IAM role that uses the policy you just created and establish a trust relationship with the ECS service. This trust policy allows the Amazon ECS service to assume the IAM role. When an ECS task is launched, it can temporarily assume this role, inheriting the permissions defined by the role's policies.
This allows ECS tasks to use the permissions granted by the role to interact with AWS Systems Manager, particularly to create and manage control and data channels for session management.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Step 3: Add the Role to the ECS Task Definition as 'taskRoleArn'
In your ECS task definition, add the role you created as the 'taskRoleArn'. This associates the IAM role with the ECS tasks.
Step 4: Enable the Execute Command Feature
Go to AWS CloudShell to run the following command, which enables the "Execute Command" feature on the specified ECS service. This feature allows you to execute commands inside the running containers of your ECS service.
Command:
aws ecs update-service --cluster aceguardian-security-bot-ecs --service dev-aceguard-bo-fe-svc --enable-execute-command
Step 5: Force Redeploy the ECS Service for Tasks with Updated Configurations
After enabling the "Execute Command" feature, force a redeploy of the ECS service to ensure that the updated configurations are applied to all running tasks. This will restart the tasks and apply any new configurations.
Step 6: Access the ECS Fargate Task Container via AWS CloudShell
⦁ Open AWS CloudShell from the AWS Management Console.
⦁ Run the following command, replacing <task-id> and <container-name> with the appropriate values for your ECS task and container:
Command:
aws ecs execute-command --region ap-southeast-1 --cluster aceguardian-security-bot-ecs --task <task-id> --container <container-name> --command "/bin/bash" --interactive
If the container has bash installed, you will successfully enter the container's shell environment with the provided command.