AWS ECS Exec

Amazon ECS Execとは

本来SSHでリモート接続できないECS Fagateにリモートログインできる機能

準備

SSM関連ロールを付与

実行

タスクの起動

aws ecs update-service \
--cluster クラスタ名 \
--service サービス名 \
--enable-execute-command

接続

aws ecs execute-command \
--cluster クラスタ名 \
--task タスクID \
--container コンテナ名 \
--interactive \
--command "/bin/sh"

接続エラー調査

AWS公式チェッカーツール

https://github.com/aws-containers/amazon-ecs-exec-checker

bash <( curl -Ls https://raw.githubusercontent.com/aws-containers/amazon-ecs-exec-checker/main/check-ecs-exec.sh ) サービス名 タスクID

※ jq の事前インストールが必要

結果
-------------------------------------------------------------
Prerequisites for check-ecs-exec.sh v0.7
-------------------------------------------------------------
jq | OK (/opt/homebrew/bin/jq)
AWS CLI | OK (/opt/homebrew/bin/aws)
-------------------------------------------------------------
Prerequisites for the AWS CLI to use ECS Exec
-------------------------------------------------------------
AWS CLI Version | OK (aws-cli/2.9.22 Python/3.11.1 Darwin/22.5.0 source/arm64 prompt/off)
Session Manager Plugin | OK (1.2.323.0)
-------------------------------------------------------------
Checks on ECS task and other resources
-------------------------------------------------------------
Region : XXXXXXXXXX
Cluster: XXXXXXXXXX
Task : XXXXXXXXXX
-------------------------------------------------------------
Cluster Configuration | Audit Logging Not Configured
Can I ExecuteCommand? | arn:aws:iam::XXXXXXXXXX:user/XXXXXXXXXX
ecs:ExecuteCommand: allowed
ssm:StartSession denied?: allowed
Task Status | RUNNING
Launch Type | Fargate
Platform Version | 1.4.0

ここが「OK」でないといけない
Exec Enabled for Task | OK

Container-Level Checks |
----------
Managed Agent Status
----------
1. RUNNING for "XXXXXXXXXX"
2. RUNNING for "XXXXXXXXXX"
----------
Init Process Enabled (task-XXXXXXXXXX:XXX)
----------
1. Disabled - "XXXXXXXXXX"
2. Disabled - "XXXXXXXXXX"
----------
Read-Only Root Filesystem (task-XXXXXXXXXX:XXX)
----------
1. Disabled - "XXXXXXXXXX"
2. Disabled - "XXXXXXXXXX"
Task Role Permissions | arn:aws:iam::XXXXXXXXXX:role/ecsTaskExecutionRole
ssmmessages:CreateControlChannel: allowed
ssmmessages:CreateDataChannel: allowed
ssmmessages:OpenControlChannel: allowed
ssmmessages:OpenDataChannel: allowed
VPC Endpoints | SKIPPED (vpc-XXXXXXXXXX - No additional VPC endpoints required)
Environment Variables | (task-XXXXXXXXXX:XXX)
1. container "XXXXXXXXXX"
- AWS_ACCESS_KEY: not defined
- AWS_ACCESS_KEY_ID: not defined
- AWS_SECRET_ACCESS_KEY: not defined
2. container "XXXXXXXXXX"
- AWS_ACCESS_KEY: not defined
- AWS_ACCESS_KEY_ID: not defined
- AWS_SECRET_ACCESS_KEY: not defined

AWS

次の記事

AWS Pinepoint