skip to Main Content

Im unable to start a Port Forwarding Session To Remote Host (or simply remote session) on a fargate ecs container, yet can do so on an instance. Using AWS console (thats the website based and not shell based) I cant seem to figure out what settings are needed.

Working (instance remote session):

aws ssm start-session 
--target i-{instance} 
--region {region} 
--profile {profile} 
--document-name AWS-StartPortForwardingSessionToRemoteHost 
--parameters '{"portNumber":["22"],"localPortNumber":["9999"],"host":["{host}"]}'

Not working the same on on a conatiner:

aws ssm start-session 
--target ecs:{clusterName}_{taskId}_{containerRuntimeId} 
--region {region} 
--profile {profile} 
--document-name AWS-StartPortForwardingSessionToRemoteHost 
--parameters '{"portNumber":["22"],"localPortNumber":["9999"],"host":["{PrivateIPofClusterTask}"]}'

Any idea?

I even created a iam policy and attached to the iam roles that run the specific service and tasks inside ecs cluster.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession",
                "ecs:ExecuteCommand"
            ],
            
            "Resource": [
                "arn:aws:ecs:blablabla:cluster/{clusterName}",
                "arn:aws:ssm:blablabla::document/AWS-StartInteractiveCommand",
                "arn:aws:ssm:blablabla::document/AWS-StartPortForwardingSession",
                "arn:aws:ssm:blablabla::document/AWS-StartPortForwardingSessionToRemoteHost",
                "arn:aws:ssm:blablabla::document/AWS-StartSSHSession"
            ]
        }
    ]
}

2

Answers


  1. Chosen as BEST ANSWER

    Ive actually figured it out, It involves the following steps:

    1. ECS Task Definition: Add SSH's port to portMappings

    2. ECS Cluster Service: Ensure it using the Task Definition's latest "Revision" you just created. Restart the Task as well.

    3. IAM Policy:

      • Create a new policy for the StartSSHSession document
      • Add various items under condition (for added security)
      • Attach the Roles running the Task to this policy
    4. SSM into the container, the target is "ecs:{clusterName}_{taskId}_{containerRuntimeId}"

      • aws ssm start-session with target and profile only. No need for document and parameters.
      • install start sshd
      • create a user, for e.g. loremIpsumUser (only allow specific access to this user for added security)
      • (only allow this user to use ssh for added security)
    5. SSH from your system. Here is a ssh config item, it uses ProxyCommand:

    Host loremIpsumSSHProfile
        HostName loremIpsumSite
        User loremIpsumUser
        ProxyCommand sh -c "aws sso login --profile {myProfile}; aws ssm start-session --target {myTarget} --profile {myProfile} --document-name AWS-StartSSHSession"
    

    You could obviously just use SSM, but the remote debugging tools such xdebugger would need SSH (as far as I can tell).


  2. Because it is ECS Fargate, you better use Amazon ECS Exec.

    https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html

    aws ecs execute-command 
        --cluster ${YOUR_CLUSTER_NAME} 
        --task ${YOUR_TASK_ID} 
        --container ${YOUR_CONTAINER_NAME} 
        --interactive 
        --command "/bin/sh"
    

    There are some considerations and prerequisites, please read them carefully and ensure that the Session Manager plugin is installed.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search