ExecuteCommand throwing TargetNotConnectedException even if check-ecs-exec.sh shows all green.

0

I am trying to do exec commands for ECS. When I follow this example, which works with Fargate everything works great. When I try it with my EC2 Cluster I get the error TargetNotConnectedException.

I also run https://raw.githubusercontent.com/aws-containers/amazon-ecs-exec-checker/main/check-ecs-exec.sh and got the following output:

-------------------------------------------------------------
Prerequisites for check-ecs-exec.sh v0.7
-------------------------------------------------------------
  jq      | OK (/usr/local/bin/jq)
  AWS CLI | OK (/usr/local/bin/aws)

-------------------------------------------------------------
Prerequisites for the AWS CLI to use ECS Exec
-------------------------------------------------------------
  AWS CLI Version        | OK (aws-cli/2.11.21 Python/3.11.3 Darwin/22.5.0 exe/x86_64 prompt/off)
  Session Manager Plugin | OK (1.2.463.0)

-------------------------------------------------------------
Checks on ECS task and other resources
-------------------------------------------------------------
Region : eu-central-1
Cluster: very_good_cluster
Task   : arn:aws:ecs:eu-central-1:xxxxxxxxxxxxxx
-------------------------------------------------------------
  Cluster Configuration  |
     KMS Key       : arn:aws:kms:eu-central-1:xxxxxxxx:key/xxxxxxxxxx
     Audit Logging : OVERRIDE
     S3 Bucket Name: ecs-ilarp-bucked, Key Prefix: exec-output, Encryption Enabled: false
     CW Log Group  : /aws/ecs/loggroup, Encryption Enabled: false
  Can I ExecuteCommand?  | arn:aws:iam::xxxxxxxxxxx:user/ecs-admin
     ecs:ExecuteCommand: allowed
     kms:GenerateDataKey: allowed
     ssm:StartSession denied?: allowed
  Task Status            | RUNNING
  Launch Type            | EC2
  ECS Agent Version      | 1.71.1
  Exec Enabled for Task  | OK
  Container-Level Checks | 
    ----------
      Managed Agent Status
    ----------
         1. RUNNING for "ecs-service-connect-xxxxxxx"
         2. RUNNING for "aws-otel-collector"
         3. RUNNING for "db"
         4. RUNNING for "app"
    ----------
      Init Process Enabled (Service:20)
    ----------
         1. Disabled - "db"
         2. Disabled - "aws-otel-collector"
         3. Enabled - "app"
    ----------
      Read-Only Root Filesystem (nextcloud:20)
    ----------
         1. Disabled - "db"
         2. Disabled - "aws-otel-collector"
         3. Disabled - "app"
  Task Role Permissions  | arn:aws:iam::xxxxxxx:role/ecsTaskExecutionRole
     ssmmessages:CreateControlChannel: allowed
     ssmmessages:CreateDataChannel: allowed
     ssmmessages:OpenControlChannel: allowed
     ssmmessages:OpenDataChannel: allowed
     -----
     kms:Decrypt: allowed
     -----
     s3:PutObject: allowed
     -----
     logs:DescribeLogGroups: allowed
     logs:CreateLogStream: allowed
     logs:DescribeLogStreams: allowed
     logs:PutLogEvents: allowed
  VPC Endpoints          | SKIPPED (vpc-xxxxxxxxxxx - No additional VPC endpoints required)
  Environment Variables  | (nextcloud:20)
       1. container "db"
       - AWS_ACCESS_KEY: not defined
       - AWS_ACCESS_KEY_ID: not defined
       - AWS_SECRET_ACCESS_KEY: not defined
       2. container "aws-otel-collector"
       - AWS_ACCESS_KEY: not defined
       - AWS_ACCESS_KEY_ID: not defined
       - AWS_SECRET_ACCESS_KEY: not defined
       3. container "app"
       - AWS_ACCESS_KEY: not defined
       - AWS_ACCESS_KEY_ID: not defined
       - AWS_SECRET_ACCESS_KEY: not defined

Maybe you can help me, because I have no clue what is wrong here. What I try to do is:

aws ecs execute-command --cluster very_good_cluster --task arn:aws:ecs:eu-central-1:xxxxxxxxxx:task/very_good_cluster/xxxxxxxxx --container app --interactive  --command "ls -l"

As result I get:

The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.

An error occurred (TargetNotConnectedException) when calling the ExecuteCommand operation: The execute command failed due to an internal error. Try again later.

asked a year ago313 views
1 Answer
0

Try troubleshooting the network using the "VPC Reachability Analyzer".
I think we need to make sure that the ECS tasks are communicating from the ENI they are using to the VPC endpoints.
https://repost.aws/knowledge-center/vpc-connectivity-reachability-analyzer

profile picture
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions