I am trying to do exec commands for ECS. When I follow this example, which works with Fargate everything works great. When I try it with my EC2 Cluster I get the error TargetNotConnectedException.
I also run https://raw.githubusercontent.com/aws-containers/amazon-ecs-exec-checker/main/check-ecs-exec.sh and got the following output:
-------------------------------------------------------------
Prerequisites for check-ecs-exec.sh v0.7
-------------------------------------------------------------
jq | OK (/usr/local/bin/jq)
AWS CLI | OK (/usr/local/bin/aws)
-------------------------------------------------------------
Prerequisites for the AWS CLI to use ECS Exec
-------------------------------------------------------------
AWS CLI Version | OK (aws-cli/2.11.21 Python/3.11.3 Darwin/22.5.0 exe/x86_64 prompt/off)
Session Manager Plugin | OK (1.2.463.0)
-------------------------------------------------------------
Checks on ECS task and other resources
-------------------------------------------------------------
Region : eu-central-1
Cluster: very_good_cluster
Task : arn:aws:ecs:eu-central-1:xxxxxxxxxxxxxx
-------------------------------------------------------------
Cluster Configuration |
KMS Key : arn:aws:kms:eu-central-1:xxxxxxxx:key/xxxxxxxxxx
Audit Logging : OVERRIDE
S3 Bucket Name: ecs-ilarp-bucked, Key Prefix: exec-output, Encryption Enabled: false
CW Log Group : /aws/ecs/loggroup, Encryption Enabled: false
Can I ExecuteCommand? | arn:aws:iam::xxxxxxxxxxx:user/ecs-admin
ecs:ExecuteCommand: allowed
kms:GenerateDataKey: allowed
ssm:StartSession denied?: allowed
Task Status | RUNNING
Launch Type | EC2
ECS Agent Version | 1.71.1
Exec Enabled for Task | OK
Container-Level Checks |
----------
Managed Agent Status
----------
1. RUNNING for "ecs-service-connect-xxxxxxx"
2. RUNNING for "aws-otel-collector"
3. RUNNING for "db"
4. RUNNING for "app"
----------
Init Process Enabled (Service:20)
----------
1. Disabled - "db"
2. Disabled - "aws-otel-collector"
3. Enabled - "app"
----------
Read-Only Root Filesystem (nextcloud:20)
----------
1. Disabled - "db"
2. Disabled - "aws-otel-collector"
3. Disabled - "app"
Task Role Permissions | arn:aws:iam::xxxxxxx:role/ecsTaskExecutionRole
ssmmessages:CreateControlChannel: allowed
ssmmessages:CreateDataChannel: allowed
ssmmessages:OpenControlChannel: allowed
ssmmessages:OpenDataChannel: allowed
-----
kms:Decrypt: allowed
-----
s3:PutObject: allowed
-----
logs:DescribeLogGroups: allowed
logs:CreateLogStream: allowed
logs:DescribeLogStreams: allowed
logs:PutLogEvents: allowed
VPC Endpoints | SKIPPED (vpc-xxxxxxxxxxx - No additional VPC endpoints required)
Environment Variables | (nextcloud:20)
1. container "db"
- AWS_ACCESS_KEY: not defined
- AWS_ACCESS_KEY_ID: not defined
- AWS_SECRET_ACCESS_KEY: not defined
2. container "aws-otel-collector"
- AWS_ACCESS_KEY: not defined
- AWS_ACCESS_KEY_ID: not defined
- AWS_SECRET_ACCESS_KEY: not defined
3. container "app"
- AWS_ACCESS_KEY: not defined
- AWS_ACCESS_KEY_ID: not defined
- AWS_SECRET_ACCESS_KEY: not defined
Maybe you can help me, because I have no clue what is wrong here.
What I try to do is:
aws ecs execute-command --cluster very_good_cluster --task arn:aws:ecs:eu-central-1:xxxxxxxxxx:task/very_good_cluster/xxxxxxxxx --container app --interactive --command "ls -l"
As result I get:
The Session Manager plugin was installed successfully. Use the AWS CLI to start a session.
An error occurred (TargetNotConnectedException) when calling the ExecuteCommand operation: The execute command failed due to an internal error. Try again later.
my EC2 Containers are running in awsvpc network mode and all outgoing traffic is allowed too. I also doublechecked this here: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-privatelink.html