Amazon ECS Exec enables direct interaction with running containers for troubleshooting and monitoring without needing SSH access or host-level intervention. This feature simplifies diagnostics by allowing commands or shells inside containers on EC2, Fargate, or ECS Anywhere.
Key Features
ECS Exec supports Linux and Windows containers, logging commands to CloudWatch or S3 for auditing via CloudTrail, and uses AWS KMS for encryption. Enable it at the cluster level with executeCommandConfiguration and per-task via enableExecuteCommand.
The Amazon ECS console now supports ECS Exec, enabling you to open secure, interactive shell access directly from the AWS Management Console to any running container.
ECS customers often need to access running containers to debug applications and examine running processes. ECS Exec provides easy and secure access to running containers without requiring inbound ports or SSH key management.
To get started, you can turn on ECS Exec directly in the console when creating or updating services and standalone tasks. Additional settings like encryption and logging can also be configured at the cluster level through the console. Once enabled, simply navigate to a task details page, select a container, and click "Connect" to open an interactive session through CloudShell. The console also displays the underlying AWS CLI command, which you can customize or copy to use in your local terminal.
Configuring ECS Exec
To use ECS Exec, you must first turn on the feature for your tasks and services, and then you can run commands in your containers.
Turning on ECS Exec for your tasks and services
You can turn on the ECS Exec feature for your services and standalone tasks by specifying the --enable-execute-command flag when using one of the following AWS CLI commands: create-service, update-service, start-task, or run-task.
For example, if you run the following command, the ECS Exec feature is turned on for a newly created service that runs on Fargate. For more information about creating services, see create-service.
aws ecs create-service \
--cluster cluster-name \
--task-definition task-definition-name \
--enable-execute-command \
--service-name service-name \
--launch-type FARGATE \
--network-configuration "awsvpcConfiguration={subnets=[subnet-12344321],securityGroups=[sg-12344321],assignPublicIp=ENABLED}" \
--desired-count 1
After you turn on ECS Exec for a task, you can run the following command to confirm the task is ready to be used. If the lastStatus property of the ExecuteCommandAgent is listed as RUNNING and the enableExecuteCommand property is set to true, then your task is ready.
aws ecs describe-tasks \
--cluster cluster-name \
--tasks task-id
IAM permissions required for Amazon CloudWatch Logs or Amazon S3 Logging
To enable logging, the Amazon ECS task role that's referenced in your task definition needs to have additional permissions. These additional permissions can be added as a policy to the task role. They're different depending on if you direct your logs to Amazon CloudWatch Logs or Amazon S3.
Reference:
Top comments (0)