DEVELOPER BLOG

HOME > DEVELOPER BLOG > 【Introduction to Containers】Entering the ECS Fargate container to execute commands - PrismScaler

【Introduction to Containers】Entering the ECS Fargate container to execute commands - PrismScaler

1. Introduction

Hello! We are a writer team from Definer Inc. In this issue, you are wondering how to execute commands inside an ECS Fargate container. Let's take a look at the actual screens and resources to explain in detail.

2. Purpose/Use Cases

In ECS (Amazon Elastic Container Service) with Fargate, containers are executed as tasks within a cluster. You can execute commands in ECS Fargate containers during the following scenarios:
  1. 1. Container startup: When a container starts, you can specify a command or entrypoint to be executed. This command runs once when the container starts up.
  2. 2. Task execution: Tasks in ECS are composed of one or more containers. Each container within a task can have its own command or entrypoint defined. When a task is executed, the commands specified for each container are executed.
  3. 3. Container restart: If a container fails or is stopped, ECS can automatically restart it. When the container is restarted, the same command or entrypoint is executed again.
However, sometimes, you may need to dynamically configure your application at runtime. By executing commands within the container, you can update configuration files. When issues arise with your application running in ECS Fargate, executing commands in containers can help with troubleshooting and debugging.  We can use ECS exec - a feature provided by Amazon ECS (Elastic Container Service) that allows you to execute commands directly inside running containers within an ECS cluster. This article summarizes information and practices that can be helpful when you want to execute commands inside an ECS Fargate container.

3. What is ECS exec?

ECS Exec is a feature in Amazon ECS that lets you run commands directly inside running containers. It provides a secure way to troubleshoot and debug without SSH or host access. You can execute commands at the container level, communicate directly with the container agent, and access it via the ECS CLI or SDK. ECS Exec simplifies container debugging and offers role-based access control.   Previously, when using Fargate, it was not possible to execute commands inside the container. Also, when using EC2, two steps were required: logging in to EC2 and executing the docker exec command. With ECS exec, this can now be done in one step, making it even easier to use.   ECS exec uses the "Session Manager" mechanism of AWS Systems Manager to access containers from the client. Therefore, there is no need to log in to the EC2 instance or allow SSH ports by SG.   Here are some key points about ECS Exec:
  1. 1. Secure Execution: ECS Exec uses Transport Layer Security (TLS) to establish a secure connection between the ECS command line interface (CLI) or SDK and the ECS agent running on the container instance. This ensures that the communication between the client and the container remains encrypted.
  2. 2. Container-Level Access: With ECS Exec, you can execute commands at the container level rather than the host level. This allows you to interact with your containers individually, inspect their state, and troubleshoot any issues specific to a container.
  3. 3. Direct Communication: ECS Exec establishes a direct communication channel with the ECS agent running on the container instance. This bypasses the need to manage SSH connections or navigate complex network setups, making it easier to access your containers.
  4. 4. Integration with ECS CLI and SDK: ECS Exec can be accessed through the ECS CLI or the ECS SDK, making it accessible from the command line or programmatically. You can use the ECS CLI or SDK to initiate an ECS Exec session and execute commands within your containers.
  5. Role-Based Access Control: Access to ECS Exec can be controlled using AWS Identity and Access Management (IAM) roles. You can define IAM policies to manage who has permission to execute commands in containers, ensuring secure access to your running tasks.

4. Try ECS exec

We will actually try ECS exec to Fargate. ECS will use the service and task definitions created in "Creating Microservices with Amazon ECS". As prerequisites, SSM agent must support ECS exec and AWS CLI v2 2.1.31 (released 2021/03/20) or later must be used.   ・To run the container on an EC2 instance: →A version released after "2021/01/20" of ECS-optimized AMI is acceptable.   ・To run the container on Fargate: →Fargate platform version "1.4.0" or later is OK.   The actual procedure is described below.   (1) Add SSM authority to the ECS task role Add the following SSM privileges to the ECS task role specified in the task definition. IAM privileges to be added to the ECS task role:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        }
    ]
}                
 

(2) Enable "enableExecuteCommand" for ECS service

Enable it with the following command. 

Or when you are creating task definition, make sure to enable ECS Exec in the task definition by setting the enableExecuteCommand property to true in the container definition.

(3) Update ECS service

Update the ECS service so that the new task is started. After the task is created, retrieve the Task ID associated with the running task to use for the next step.

(4) Execute the ECS Exec command

You have successfully logged into the Fargate container!

You can use the "ls" and "pwd" commands to explore inside the container.
## Enable ECS Exec
aws ecs update-service \
--cluster default \
--service test-nginx \
--enable-execute-command

## ECS Exec command
aws ecs execute-command \
--cluster default \
--task ${ECS Task ID} \
--container test-nginx \
--interactive \
--command /bin/sh                  

5. Cited/Referenced Articles

6. About the proprietary solution "PrismScaler"

・PrismScaler is a web service that enables the construction of multi-cloud infrastructures such as AWS, Azure, and GCP in just three steps, without requiring development and operation. ・PrismScaler is a web service that enables multi-cloud infrastructure construction such as AWS, Azure, GCP, etc. in just 3 steps without development and operation. ・The solution is designed for a wide range of usage scenarios such as cloud infrastructure construction/cloud migration, cloud maintenance and operation, and cost optimization, and can easily realize more than several hundred high-quality general-purpose cloud infrastructures by appropriately combining IaaS and PaaS.  

7. Contact us

This article provides useful introductory information free of charge. For consultation and inquiries, please contact "Definer Inc".

8. Regarding Definer

・Definer Inc. provides one-stop solutions from upstream to downstream of IT. ・We are committed to providing integrated support for advanced IT technologies such as AI and cloud IT infrastructure, from consulting to requirement definition/design development/implementation, and maintenance and operation. ・We are committed to providing integrated support for advanced IT technologies such as AI and cloud IT infrastructure, from consulting to requirement definition, design development, implementation, maintenance, and operation. ・PrismScaler is a high-quality, rapid, "auto-configuration," "auto-monitoring," "problem detection," and "configuration visualization" for multi-cloud/IT infrastructure such as AWS, Azure, and GCP.