A simple tool to get an ephemeral CLI in a ECS Fargate task.
$ go get -u github.com/keichan34/ecs-fargate-login
- Serverless bastion host.
- A way to get an application console (like
rails console) in staging / production.
How it works
The high level outline is:
ecs-fargate-logincreates a one-time use RSA key pair.
ecs-fargate-loginstarts a SSH server task in Fargate.
- When the task has booted,
ecs-fargate-loginlogs in to the SSH server.
- The SSH server shuts itself down when the user logs off.
A script (
openssh-server are installed in the
Dockerfile for the SSH server. The CLI service should have its own dedicated
task definition (an example is included in
ecs-fargate-login boots this task definition,
start-sshd.sh will perform
some initial setup, such as reading environment variables in to
(because SSH will strip them out otherwise), and authorizing the one-time RSA key
pair by passing the public key in the
_AUTHORIZED_PUBLIC_KEY environment variable.
When the task has been booted,
ecs-fargate-login will start
ssh and the session
When the session ends,
ecs-fargate-login deletes the one-time private key, and
the server will shut itself down.
- A security group that allows inbound SSH access (port 22) from the machine you're using.
- A task definition that is set up to run the SSH server.
On the server:
start-sshd.sh(see example in the
On the interactive client:
- Access to AWS
ecs:RunTaskfor the ARN of the task definition the tool will use to boot.
ecs:DescribeTasksfor all tasks
ec2:DescribeNetworkInterfaces(only supports a resource of
iam:PassRolefor both the execution task role (the role AWS Fargate uses to start the task) and the task role (the role the task assumes when running)
- Create 2 ECS task IAM roles: one for the running task, and one for the task execution.
Put the ARNs in the task definition, using
server/task-definition.jsonas a template.
- Register the task definition. The template uses
test-cli, but you can choose any name you like.
- Get the VPC Security Group ID (
sg-) of a security group that allows port 22 incoming from the client you plan on logging in from.
- Get the VPC Subnet ID(s) of a public subnet you want to launch this instance in to.
ecs-fargate-login -n test-cli -sg sg-1234,sg-4321 -sn subnet-1234,subnet-4321