I am trying to do exec commands for ECS. When I follow this example, which works with Fargate everything works great. When I try it with my EC2 Cluster I get the error TargetNotConnectedException.
I also run https://raw.githubusercontent.com/aws-containers/amazon-ecs-exec-checker/main/check-ecs-exec.sh and got the following output:
-------------------------------------------------------------
Prerequisites for check-ecs-exec.sh v0.7
-------------------------------------------------------------
jq | OK (/usr/local/bin/jq)
AWS CLI | OK (/usr/local/bin/aws)
-------------------------------------------------------------
Prerequisites for the AWS CLI to use ECS Exec
-------------------------------------------------------------
AWS CLI Version | OK (aws-cli/2.11.21 Python/3.11.3 Darwin/22.5.0 exe/x86_64 prompt/off)
Session Manager Plugin | OK (1.2.463.0)
-------------------------------------------------------------
Checks on ECS task and other resources
-------------------------------------------------------------
Region : eu-central-1
Cluster: very_good_cluster
Task : arn:aws:ecs:eu-central-1:xxxxxxxxxxxxxx
-------------------------------------------------------------
Cluster Configuration |
KMS Key : arn:aws:kms:eu-central-1:xxxxxxxx:key/xxxxxxxxxx
Audit Logging : OVERRIDE
S3 Bucket Name: ecs-ilarp-bucked, Key Prefix: exec-output, Encryption Enabled: false
CW Log Group : /aws/ecs/loggroup, Encryption Enabled: false
Can I ExecuteCommand? | arn:aws:iam::xxxxxxxxxxx:user/ecs-admin
ecs:ExecuteCommand: allowed
kms:GenerateDataKey: allowed
ssm:StartSession denied?: allowed
Task Status | RUNNING
Launch Type | EC2
ECS Agent Version | 1.71.1
Exec Enabled for Task | OK
Container-Level Checks |
----------
Managed Agent Status
----------
1. RUNNING for "ecs-service-connect-xxxxxxx"
2. RUNNING for "aws-otel-collector"
3. RUNNING for "db"
4. RUNNING for "app"
----------
Init Process Enabled (Service:20)
----------
1. Disabled - "db"
2. Disabled - "aws-otel-collector"
3. Enabled - "app"
----------
Read-Only Root Filesystem (nextcloud:20)
----------
1. Disabled - "db"
2. Disabled - "aws-otel-collector"
3. Disabled - "app"
Task Role Permissions | arn:aws:iam::xxxxxxx:role/ecsTaskExecutionRole
ssmmessages:CreateControlChannel: allowed
ssmmessages:CreateDataChannel: allowed
ssmmessages:OpenControlChannel: allowed
ssmmessages:OpenDataChannel: allowed
-----
kms:Decrypt: allowed
-----
s3:PutObject: allowed
-----
logs:DescribeLogGroups: allowed
logs:CreateLogStream: allowed
logs:DescribeLogStreams: allowed
logs:PutLogEvents: allowed
VPC Endpoints | SKIPPED (vpc-xxxxxxxxxxx - No additional VPC endpoints required)
Environment Variables | (nextcloud:20)
1. container "db"
- AWS_ACCESS_KEY: not defined
- AWS_ACCESS_KEY_ID: not defined
- AWS_SECRET_ACCESS_KEY: not defined
2. container "aws-otel-collector"
- AWS_ACCESS_KEY: not defined
- AWS_ACCESS_KEY_ID: not defined
- AWS_SECRET_ACCESS_KEY: not defined
3. container "app"
- AWS_ACCESS_KEY: not defined
- AWS_ACCESS_KEY_ID: not defined
- AWS_SECRET_ACCESS_KEY: not defined
Maybe you can help me, because I have no clue what is wrong here.
What I try to do is:
aws ecs execute-command --cluster very_good_cluster --task arn:aws:ecs:eu-central-1:xxxxxxxxxx:task/very_good_cluster/xxxxxxxxx --container app --interactive --command "ls -l"
As result I get:
The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.
An error occurred (TargetNotConnectedException) when calling the ExecuteCommand operation: The execute command failed due to an internal error. Try again later.
AWS OFFICIALAktualisiert vor einem Jahr
my EC2 Containers are running in awsvpc network mode and all outgoing traffic is allowed too. I also doublechecked this here: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-privatelink.html