SSM connection from local to AWS ECS with Port Forwarding

Question

I have my java application running in AWS ECS container and 8000 as exposed port

My ECS is running under private Subnet

I want to connect to my ECS through the session manager like this:

aws ssm start-session --target My-ECS-Instance-ID --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["8000"], "localPortNumber":["8000"]}' --region My-Region

And the connexion seems to be established without any problems:

Starting session with SessionId: botocore-session-1******-09cf*********8
Port 8000 opened for sessionId botocore-session-1******-09cf*********8.

But unfortunately when i curl this url:

curl -X GET "http://localhost:8000/api/user/9"

It generates the following output:

curl: (52) Empty reply from server

Answer 1

For others that come here looking for a way to forward a port to a Task running in Fargate (as opposed to an EC2 node), here is how:

the docs for aws ssm start-session's --target parameter says that you need EC2 instance id, BUT it can also take a value in format of ecs:<cluster-name>_<task-id>_<container-runtime_id>

Note that the ECS Task Role will need the following permissions for this to work

{
   "Version": "2012-10-17",
   "Statement": [
       {
       "Effect": "Allow",
       "Action": [
            "ssmmessages:CreateControlChannel",
            "ssmmessages:CreateDataChannel",
            "ssmmessages:OpenControlChannel",
            "ssmmessages:OpenDataChannel"
       ],
      "Resource": "*"
      }
   ]
}

Answer 2

As mentioned in your comment, you specified ContainerPort: 8000 without HostPort. Hence, the actuall port number in EC2 box will be different. More details can be found here

Please use SSM session manager to ssh to the EC2 host, and then run sudo docker ps to find out the correct port number. Then, use this value in your aws ssm start-session command.