How to specify enable_execute_command when starting fargate containers with ecs-cli?

Question

I run aws fargate containers, which are launched using ecs-cli like so:

ecs-cli configure --cluster ${cluster_name} --default-launch-type FARGATE --region ${AWS_REGION} --config-name ${config_name}
ecs-cli compose --project-name ${service_name} service up

I would like use aws ecs execute to run commands in those containers. All the examples I can find on the topic use aws command line tool, rather than ecs-cli. The documentation specifies that, in order to use aws ecs execute, you must start the service with --enable-execute-command.

This flag indeed exists for aws command line tool - but there is no corresponding flag for ecs-cli. ecs-cli is configured via a yaml file, ecs-params.yml. However, there again, the documentation makes no mention of a setting that can be used in that file to enable execute command. This is what my ecs-params.yml looks like:

version: 1
task_definition:
  task_execution_role: ecsTaskExecutionRole
  ecs_network_mode: awsvpc
  task_size:
    mem_limit: 4GB
    cpu_limit: 2vCPU
run_params:
  network_configuration:
    awsvpc_configuration:
      subnets:
        - ${AWS_VPC_SUBNET_A}
        - ${AWS_VPC_SUBNET_B}
      security_groups:
        - ${AWS_VPC_SECURITY_GROUP}
      assign_public_ip: ENABLED

I have found a Pull Request on the ecs-cli repository to add this flag to the command line (see: https://github.com/aws/amazon-ecs-cli/pull/1135), which confirms it's not currently available. But it doesn't mean there isn't another way to specifiy enable-execute-command.

As an alternative approach, I tried to use aws ecs update-service --enable-execute-command after the containers have started. However that did not work as once the containers have started, the corresponding task defintion is marked as inactive.

So my question is: how can I enable command execution in my containers launched using ecs-cli ?

Answer 1

Try forcing a new deployment, that did it for me.

aws ecs update-service --service <SERVICE_NAME> --cluster <CLUSTER_NAME> \
  --enable-execute-command \
  --force-new-deployment

Answer 2

The working command for me:

aws ecs update-service \
    --cluster <Name-Of-Cluster> \
    --task-definition <Name-Of-TaskDefination:$Version> \
    --service <Name-Of-Service \
    --enable-execute-command \ 
    --force-new-deployment \
    --region <Region-code, ex. us-east-1>

Answer 3

I was working on this when you wanted to enable 'execute_command' in a running task, you needed to force a new deployment. According to the documentation, in the section "Considerations for using ECS Exec," it says that "You cannot enable ECS Exec for existing tasks, it can only be turned on for new tasks." Therefore, you need to force a new deployment. You can find more information about this on this link: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html.

This code worked for me:

aws ecs update-service --cluster {cluster} --service {service} --region {region} --enable-execute-command --force-new-deployment

Answer 4

I found a possible workaround. Idea is to switch from 'service up' to the direct task run.

First of all, create your task definition from compose configuration but don't run it:

ecs-cli compose create...

After it run new task from created definition (last parameter will do a trick):

aws ecs run-task --cluster $cluser --task-definition $task --enable-execute-command

It will work, and you will be able to connect to the container via:

aws ecs execute-command...

Answer 5

some of mistakes in the above command

aws ecs update-service --service $SERVICE_NAME --cluster $CLUSTER \
  --region eu-west-1 \
  --enable-execute-command \
  --force-new-deployment