Is it possible to SSH into FARGATE managed container instances?

I use to connect to EC2 container instances following this steps, https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance-connect.html wondering how I can connect to FARGATE-managed container instances instead.

Looking on that issue on github https://github.com/aws/amazon-ecs-cli/issues/143 I think it's not possible to make docker exec from remote host into container on ECS Fargate. You can try to run ssh daemon and your main process in one container using e.g. systemd (https://docs.docker.com/config/containers/multi-service_container/) and connect to your container using SSH but generally it's not good idea in containers world.

Starting from middle of March 2021 it is possible to execute command in ECS container when the container runs in AWS Fargate, check Using Amazon ECS Exec to access your containers on AWS Fargate and Amazon EC2

Quick check list:

1. Enable command execution in the service.
2. Make sure to use latest platform version in the service.
3. Add ssmmessages:.. permissions to the task execution role.
4. Force new deployment for the service to run tasks with command execution enabled.

This should allow to run /bin/bash command and get interactive shell into the container running on AWS Fargate. This all is clearly explained in the article I have referenced above.

It is possible, but not easy.straight forward. Shortly: install SSH, don't expose ssh port out from VPC, add bastion host, SSH through bastion.

A little bit more details:

• spin up SSHD with password-less authentication. Docker instructions
• Fargate Task: Expose port 22

• Configure your VPC, instructions

• create EC2 bastion host

• From there SSH into your Task's IP address

Here is an example of adding SSH/sshd to your container to gain direct access:

# Dockerfile
FROM alpine:latest

RUN apk update && apk add --virtual --no-cache \
  openssh

COPY sshd_config /etc/ssh/sshd_config

RUN mkdir -p /root/.ssh/
COPY authorized-keys/*.pub /root/.ssh/authorized_keys
RUN cat /root/.ssh/authorized-keys/*.pub > /root/.ssh/authorized_keys
RUN chown -R root:root /root/.ssh && chmod -R 600 /root/.ssh

COPY docker-entrypoint.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/docker-entrypoint.sh
RUN ln -s /usr/local/bin/docker-entrypoint.sh /

# We have to set a password to be let in for root - MAKE THIS STRONG.
RUN echo 'root:THEPASSWORDYOUCREATED' | chpasswd

EXPOSE 22
ENTRYPOINT ["docker-entrypoint.sh"]

# docker-entrypoint.sh
#!/bin/sh

if [ "$SSH_ENABLED" = true ]; then
  if [ ! -f "/etc/ssh/ssh_host_rsa_key" ]; then
    # generate fresh rsa key
    ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
  fi
  if [ ! -f "/etc/ssh/ssh_host_dsa_key" ]; then
    # generate fresh dsa key
    ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
  fi

  #prepare run dir
  if [ ! -d "/var/run/sshd" ]; then
    mkdir -p /var/run/sshd
  fi

  /usr/sbin/sshd

  env | grep '_\|PATH' | awk '{print "export " $0}' >> /root/.profile
fi

exec "$@"

More details here: https://github.com/jenfi-eng/sshd-docker

Enable execute command on service.

aws ecs update-service --cluster <Cluster> --service <Service> --enable-execute-command

Connect to fargate task.

aws ecs execute-command --cluster <Cluster> \
    --task <taskId> \
    --container <ContainerName> \
    --interactive \
    --command "/bin/sh" 

Ref - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html