'aws/ecs' 카테고리의 글 목록

aws/ecs

How to directly access the ECS fargate via bash shell 2022.04.06

How to directly access the ECS fargate via bash shell

2022. 4. 6. 14:54

선수조건 (pre-requisite)
- AWS CLI 설치 (install AWS CLI)
- AWS ECS CLI 설치 (install AWS ECS CLI)
- AWS session manager 플러그인 설치 (install AWS session manager plug-in)

There are step-by-step instructions to satisfy pre-requisites with the URL linked at the bottom of this page.

After intalling ECS CLI, you can run ecs command as below.

aws ecs execute-command  \\
--region [your region] \\
--cluster [your ecs cluster name] \\
--task [your task number] \\
--container [your container name] \\
--command "/bin/bash" \\
--interactive

If you fell into an error as below, please try it as replacing the command value from bash to sh. "/bin/sh"

error:

----------ERROR-------
Unable to start command: Failed to start pty: fork/exec /bin/bash: no such file or directory

you can designate your specific ECS task execution role and log configuration by creating ecs-exec.json. below is an example.

{"family": "ecs-exec-demo",
"networkMode": "awsvpc",
"executionRoleArn": "arn:aws:iam::[your account id]:role/ecs-exec-task-execution-role",
"taskRoleArn": "arn:aws:iam::[your account id]:role/ecs-exec-task-role",
"containerDefinitions": [
{"name": "nginx",
"image": "nginx",
"linuxParameters": {
"initProcessEnabled": true
},
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/aws/ecs/ecs-exec-log",
"awslogs-region": "ap-northeast-2",   ←replace this to your region
"awslogs-stream-prefix": "container-stdout"
}
}
}
],
"requiresCompatibilities": [
"FARGATE"
],
"cpu": "256",
"memory": "512"
}

Then you can choose the json file to register task definition with ECS CLI like this.

aws ecs register-task-definition --cli-input-json file://ecs-exec.json --region ap-northeast-2

If you encountered any error, you can detect what you've missed by running this script which i found on the internet.

Run without cloning Git repo

$ bash <( curl -Ls [<https://raw.githubusercontent.com/aws-containers/amazon-ecs-exec-checker/main/check-ecs-exec.sh>](<https://raw.githubusercontent.com/aws-containers/amazon-ecs-exec-checker/main/check-ecs-exec.sh>) )

Usage

$ ./check-ecs-exec.sh <YOUR_ECS_CLUSTER_NAME> <YOUR_ECS_TASK_ID>

The script will check the resources which are associated with ECS Cluster, including task role ssmmessages permission, VPC Endpoints etc.

  Task Role Permissions  | arn:aws:iam::xxxxxxxxxx:role/xxxx-task-role
     ssmmessages:CreateControlChannel: allowed
     ssmmessages:CreateDataChannel: allowed
     ssmmessages:OpenControlChannel: allowed
     ssmmessages:OpenDataChannel: allowed

The script will represent CHECK FAILED on VPC Endpoints in case the VPC of ECS Cluster are shared by AWS RAM in different AWS account.

If the security group of the ssmmessages service VPC Endpoint has allowed the source environment, access via sh will connect without any issues.

  VPC Endpoints          | CHECK FAILED
     Amazon ECS Exec Checker doesn't support VPC endpoint validation for AWS RAM shared VPC/subnets.
     Check or contact your administrator to find if additional VPC endpoints are required by the following resources.
     - Resources: vpc-0b9f6499dd493a1b7 and subnet-08785cff94b2d329b
     - VPC Endpoint: com.amazonaws.ap-northeast-2.ssmmessages

If you need some commands like python, pip and aws cli or telnet inside of your fargate, you can simply install what you need with equipped apk.

apk update
apk add python3 py3-pip docker
apk add busybox-extras
pip3 install awscli

Sending a message to AWS SES with AWS CLI from fargate would be like:

aws ses send-email --from sender@example.com --destination file://destination.json --message file://message.json

destination.json:

{
  "ToAddresses":  ["recipient1@example.com", "recipient2@example.com"],
  "CcAddresses":  ["recipient3@example.com"],
  "BccAddresses": []
}
message.json:

{
   "Subject": {
       "Data": "Test email sent using the AWS CLI",
       "Charset": "UTF-8"
   },
   "Body": {
       "Text": {
           "Data": "This is the message body in text format.",
           "Charset": "UTF-8"
       },
       "Html": {
           "Data": "This message body contains HTML formatting. It can, for example, contain links like this one: <a class=\"ulink\" href=\"http://docs.aws.amazon.com/ses/latest/DeveloperGuide\" target=\"_blank\">Amazon SES Developer Guide</a>.",
           "Charset": "UTF-8"
       }
   }
}

Output:

{
    "MessageId": "010c0181XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
}

Reference: https://aws.amazon.com/ko/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/ , https://docs.aws.amazon.com/ko_kr/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html , https://docs.aws.amazon.com/ko_kr/AmazonECS/latest/developerguide/ECS_CLI_installation.html , https://github.com/aws-containers/amazon-ecs-exec-checker

PREV 1 NEXT

lifelog and tech

aws/ecs

How to directly access the ECS fargate via bash shell

+ Recent posts

티스토리툴바