compose-cli
compose-cli copied to clipboard
docker
ECS integration sets TaskRoleArn: null, doesn't work with ECS Exec
Description
I'm trying to use ECS Exec to connect to a Fargate container created with the docker compose ecs integration. According to ECS Exec documentation, you need to specify --enable-execute-command for a task. Unfortunately, there's no mention of ECS Exec in the docker compose ECS features.
As a result, I've tried using the aws ecs update-service command to add --enable-execute-command. When I provide the full task definition ARN, it fails on:
An error occurred (InvalidParameterException) when calling the UpdateService operation: The service couldn't be updated because a valid taskRoleArn is not being used. Specify a valid task role in your task definition and try again.
Looking at the task definition json, it includes
"taskRoleArn": null,
and again I don't see any way to explicitly provide this in the ECS compose features doc.
Is there a way to provide a non-null taskRoleArn, or a more direct way to use ECS Exec with a docker compose fargate container? Is setting a null taskRoleArn the expected/desired behavior of this feature?
Output of docker-compose --version:
docker-compose version 1.29.2, build 5becea4c
Output of docker version:
Docker version 20.10.8, build 3967b7d
I'm experiencing the same issue.
❯ aws ecs update-service --service <service> --cluster <cluster> --enable-execute-command
An error occurred (InvalidParameterException) when calling the UpdateService operation: The service couldn't be updated because a valid taskRoleArn is not being used. Specify a valid task role in your task definition and try again.
❯ docker compose version
Docker Compose version dev
❯ docker version
Client:
Cloud integration: v1.0.22
Version: 20.10.11
API version: 1.41
Go version: go1.16.10
Git commit: dea9396
Built: Thu Nov 18 00:36:09 2021
OS/Arch: darwin/amd64
Context: staging
Experimental: true
...
Are you providing it with your service?
services:
web:
# ...
x-aws-policies:
- arn:aws:iam::<ACC_ID>:policy/DockerExecRole
My policy for reference:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ExecuteCommand",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
}
]
}
Also when updating the service, you need to force a new deployment
aws ecs update-service \
--service <service> \
--cluster <cluster> \
--enable-execute-command \
--force-new-deployment
This is not an issue with compose-cli. You need to provide a "Task role" for a Task Definition (this is different than the "Task execution role"). This can be done by first going to IAM
IAM role creation
- IAM > roles > create role
- custom trust policy > copy + paste
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Add permission > Create Policy
- JSON > replace YOUR_REGION_HERE & YOUR_ACCOUNT_ID_HERE & CLUSTER_NAME > copy + paste
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:YOUR_REGION_HERE:YOUR_ACCOUNT_ID_HERE:log-group:/aws/ecs/CLUSTER_NAME:*"
}
]
}
- Give it a name
- go back to Add permissions > search by name > check > Next
- Give a role name > create role
ECS new task
- go back to ECS > go to task definition and create a new revision
- select your new role for "Task role" (different than "Task execution role") > update Task definition
- go to your service > update > ensure revision is set to latest > finish update of the service
- current task and it should auto provision your new task with its new role.
- try again
Commands I used to exec in
enables execute command
aws ecs update-service --cluster CLUSTER_NAME --service SERVICE_NAME --region REGION --enable-execute-command --force-new-deployment
adds ARN to environment for easier cli. Does assume only 1 task running for the service, otherwise just manually go to ECS and grab arn and set them for your cli
TASK_ARN=$(aws ecs list-tasks --cluster CLUSTER_NAME --service SERVICE_NAME --region REGION --output text --query 'taskArns[0]')
see the task,
aws ecs describe-tasks --cluster CLUSTER_NAME --region REGION --tasks $TASK_ARN
exec in
aws ecs execute-command --region REGION --cluster CLUSTER_NAME --task $TASK_ARN --container CONTAINER --command "sh" --interactive
Is there a way to modify the compose.yml to enable the execute command (EnableExecuteCommand: true) for one or more services in lieu of running the update-service command and forcing a new deployment?
It seems a bit wonky (if I understand correctly) that I have to write a configuration, spin up the service, then add additional configuration/restart the service with a command.
Isn't this the sort of thing the overlay capability is for? I struggle to find an exhaustive list of supported overlays and/or a methodology I could use to infer overlays that aren't explicitly laid out.
@andrekrosby92 Thanks, your steps worked for me.
I really wish I could enable exec in my docker-compose.yml instead of having to explicitly enable it with aws ecs ... --enable-execute-command.
Hello all. I know this ain't native to the docker toolset, but in the meantime / instead, see if x-ecs.EnableExecuteCommand could work for you?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been automatically closed because it had not recent activity during the stale period.