Amazon ECS Exec to access your containers on AWS Fargate Skip to end of metadata

Vinayan C V

March 31, 2024
2 min read

Amazon ECS Exec to access your containers on AWS Fargate Skip to end of metadata

ECS Exec makes use of AWS Systems Manager (SSM) Session Manager to establish a connection with the running container and uses AWS Identity and Access Management (IAM) policies to control access to running commands in a running container. ECS Exec is only supported for Linux. containers.

IAM permissions required for ECS Exec

Use the following policy for your task IAM role to add the required SSM permissions.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Sid": "ExecuteCommandSessionManagement",
"Effect": "Allow",
"Action": [
"ssm:DescribeSessions"
],
"Resource": "*"
},
{
"Sid": "ExecuteCommand",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ecs:*:*:task/*",
"arn:aws:ssm:*:*:document/AmazonECS-ExecuteInteractiveCommand"
]
}
]
}

Enabling ECS Exec for your tasks and services

You can enable the ECS Exec feature for your services and standalone tasks by specifying the –enable-execute-command flag when using one of the following AWS CLI commands, create-service, update-service,start-task, or run-task.
While updating an existing service, follow the command below

aws ecs update-service –cluster cluster-name –service service-name –region region –enable-execute-command –force-new-deployment

After you have enabled ECS Exec for a task, you can run the following command to confirm the task is ready to be used. If the lastStatus property of the ExecuteCommandAgent is listed as RUNNING and the enableExecuteCommand property is set to true, then your task is ready.

aws –region region ecs describe-tasks –cluster cluster-name –tasks task-id

The following output snippet is an example of what you might see.

{
"tasks": [
{
...
"containers": [
{
...
"managedAgents": [
{
"lastStartedAt": "2021-03-01T14:49:44.574000-06:00",
"name": "ExecuteCommandAgent",
"lastStatus": "RUNNING"
}
]
}
],
...
"enableExecuteCommand": true,
...
}
]
}

Running commands using ECS Exec

After you have confirmed the ExecuteCommandAgent is running, you can open an interactive shell on your container using the following command.

aws –region region ecs execute-command –cluster cluster-name –interactive –task task-id –command /bin/bash

Are you looking for AWS Support?

Looking AWS experts?

We are providing top the line custom AWS setup services