CODEWITHSUNDEEP
amazon-web-servicesamazon-ecsaws-fargate
jtee
jtee

Reputation: 111

AWS ECS Exec: Cannot start shell on Fargate

I've been following this tutorial: https://www.youtube.com/watch?v=wNN5N1_ZTN4

First, I've confirmed that the user I'm connecting with in AWS CLI has the following permission policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ecs:ExecuteCommand",
            "ecs:DescribeTasks",
            "ecs:UpdateService",
            "iam:PassRole"
        ],
        "Resource": "*"
    }
]

}

Next, I've confirmed that the task role being used by the task has this permission policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ssmmessages:CreateControlChannel",
            "ssmmessages:CreateDataChannel",
            "ssmmessages:OpenControlChannel",
            "ssmmessages:OpenDataChannel"
        ],
        "Resource": "*"
    }
]

}

When I run the describe-tasks command on the task, "enableExecuteCommand" is set to true every time: aws ecs describe-tasks --cluster -cluster-name --tasks task-id

Regardless of this, whenever I try opening a shell session via the following command: aws ecs execute-command --region us-east-1 --cluster cluster-name --container container-name --task task-id --command "/bin/sh" --interactive

I get the following: An error occurred (InvalidParameterException) when calling the ExecuteCommand operation: The execute command failed because execute command was not enabled when the task was run or the execute command agent isn’t running. Wait and try again or run a new task with execute command enabled and try again.

I've been all over Stack Overflow and the AWS docs and everything is suggesting confirming the things I've already confirmed above. Where else should I look or are any of these settings incorrect on the policies?

Upvotes: 1

Views: 1880

Answers (2)

Piyush Mattoo
Piyush Mattoo

Reputation: 16153

You need to verify if Amazon ECS ExecuteCommand is enabled on the Amazon ECS Service/Task using the CLI command:

aws ecs describe-services --region <region> --cluster <cluster-name> --services <service-name>

You should see enableExecuteCommand present in the output and its value set to true indicating that the Amazon ECS Service is enabled with this feature.
You can enable the feature by updating the Amazon ECS Service using the following CLI command:

aws ecs update-service --cluster <cluster-name> --service <service-name> --region <region> --enable-execute-command

Note that the Amazon ECS Tasks need to be in launch state before you can ECS Exec into the Amazon ECS Task

Upvotes: 3

jtee
jtee

Reputation: 111

Please disregard, very noob problem. The container I'm trying to SSH into is stuck in Pending status. I had thought it was possible to ECS Exec into it to see why it won't fully start up, but just now found it has to be already running. I can successfully ECS exec into Running containers, as advertised.

Upvotes: 1

Related Questions