Im unable to start a Port Forwarding Session To Remote Host (or simply remote session) on a fargate ecs container, yet can do so on an instance. Using AWS console (thats the website based and not shell based) I cant seem to figure out what settings are needed.
Working (instance remote session):
aws ssm start-session
--target i-{instance}
--region {region}
--profile {profile}
--document-name AWS-StartPortForwardingSessionToRemoteHost
--parameters '{"portNumber":["22"],"localPortNumber":["9999"],"host":["{host}"]}'
Not working the same on on a conatiner:
aws ssm start-session
--target ecs:{clusterName}_{taskId}_{containerRuntimeId}
--region {region}
--profile {profile}
--document-name AWS-StartPortForwardingSessionToRemoteHost
--parameters '{"portNumber":["22"],"localPortNumber":["9999"],"host":["{PrivateIPofClusterTask}"]}'
Any idea?
I even created a iam policy and attached to the iam roles that run the specific service and tasks inside ecs cluster.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession",
"ecs:ExecuteCommand"
],
"Resource": [
"arn:aws:ecs:blablabla:cluster/{clusterName}",
"arn:aws:ssm:blablabla::document/AWS-StartInteractiveCommand",
"arn:aws:ssm:blablabla::document/AWS-StartPortForwardingSession",
"arn:aws:ssm:blablabla::document/AWS-StartPortForwardingSessionToRemoteHost",
"arn:aws:ssm:blablabla::document/AWS-StartSSHSession"
]
}
]
}
2
Answers
Ive actually figured it out, It involves the following steps:
ECS Task Definition: Add SSH's port to
portMappings
ECS Cluster Service: Ensure it using the Task Definition's latest "Revision" you just created. Restart the Task as well.
IAM Policy:
StartSSHSession
documentcondition
(for added security)SSM into the container, the
target
is"ecs:{clusterName}_{taskId}_{containerRuntimeId}"
aws ssm start-session
with target and profile only. No need for document and parameters.sshd
SSH from your system. Here is a ssh config item, it uses
ProxyCommand
:You could obviously just use SSM, but the remote debugging tools such xdebugger would need SSH (as far as I can tell).
Because it is ECS Fargate, you better use Amazon ECS Exec.
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html
There are some considerations and prerequisites, please read them carefully and ensure that the Session Manager plugin is installed.