AWS ECS: How to list Fargate containers? - amazon-web-services

I need to obtain details on a Fargate container running for a task in an AWS ECS cluster.
The information I retrieve using the AWS CLI matches what I see in the AWS Console, e.g.
$ aws ecs list-clusters
{
"clusterArns": [
"arn:aws:ecs:us-east-1:<my account ID>:cluster/<cluster short name>"
]
}
$ aws ecs list-services --cluster "arn:aws:ecs:us-east-1:<my account ID>:cluster/<cluster short name>"
{
"serviceArns": [
"arn:aws:ecs:us-east-1:<my account ID>:service/<cluster short name>/<service short name>"
]
}
$ aws ecs list-tasks --cluster "arn:aws:ecs:us-east-1:<my account ID>:cluster/<cluster short name>"
{
"taskArns": [
"arn:aws:ecs:us-east-1:<my account ID>:task/<cluster short name>/<task ID>"
]
}
Now, I am looking at the container running for the task shown above: It is running, it is healthy, everything seems fine.
However, when I try to obtain container details using the AWS CLI, I get an empty result:
$ aws ecs list-container-instances --cluster "arn:aws:ecs:us-east-1:<my account ID>:cluster/<cluster short name>"
{
"containerInstanceArns": []
}
I'm completely puzzled. I have double / triple / quadruple-checked what I'm doing, everything seems fine - not exactly rocket science, anyway...
My best guess at this stage is that list-container-instances only supports EC2, not Fargate instances, but TBH, that feels way off - like a massive 'blind spot' in the AWS API, i.e. an AWS resources not properly supported by AWS itself.
My question: How do I list AWS ECS Fargate container instances using the AWS CLI ?
Some additional internals (these shouldn't matter to the problem at hand, but might still help to give some context):
The Fargate container is running a service inside private subnet only accessed by the backend application of my current project. In order to configure that service, I start a jump host in a public subnet in the same VPC as the private subnet and create an SSH tunnel from my local dev machine over that jump host to the Fargate container. In order to create that SSH tunnel, I need the container's private IP address.
From what I understand, these seems a fairly common approach. Things work fine when doing them on the fly , i.e. copying the private IP address from the AWS Console to the Terminal. However, for long term DevOps production, I need to get the private IP address in a script using the AWS CLI. HTH.

Related

How to know EC2 instance stopped time?

I really need to know about the stopped time of AWS EC2 instances. I have checked with AWS cloudtrail, but its not easy to find the exact stopped EC2 instance. Is possible to see exact time of stopped EC2 instances by aws-cli commands or any boto3 script?
You can get this info from StateTransitionReason in describe-instances AWS CLI when you search for stopped instances:
aws ec2 describe-instances --filter Name=instance-state-name,Values=stopped --query 'Reservations[].Instances[*].StateTransitionReason' --output text
Example output:
User initiated (2020-12-03 07:16:35 GMT)
AWS Config keeps track of the state of resources as they change over time.
From What Is AWS Config? - AWS Config:
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.
Thus, you could look back through the configuration history of the Amazon EC2 instance and extract times for when the instance changed to a Stopped state.
Sometimes time is missing from StateTransitionReason, you can use CloudTrail and search for Resource Name = instance ID to find out StopInstance(s) API calls.
By default you can track back 90 days, or indefinitely if you create your own trail.

How to add Amazon ECS to non default VPC I have already created?

I have created VPC and added Amazon RDS to it. Now I want to add ECS in this VPC and push my Docker container. My container is React web app and Flask server which I want to communicate with Amazon RDS. I have passed through a great deal of ECS documentation but still can’t do this. Any help or guidance will be great. Thanks!
It depends on how you create your ECS service. One way was already provided by #ThiagoDaAnunciação.
Other ways are (for FARGATE):
in CloudFormation there is NetworkConfiguration
in CLI there is --network-configuration
For EC2 launch type, you specify the VPC and subnets when you create your container instances.
I think that is quite simple if I understand your question of course.
I you are using ECS-CLI, what I extremely recommend, and if you don't, here some doc and the installation process:
AWS ECS-CLI Doc
Github doc ECS-CLI
I think that all of this commands could by fill on AWS ECS console, but I think that using ECS-CLI is so easier so, that is how I do that.
ecs-cli configure --cluster YOURCLUSTER --default-launch-type FARGATE --region sa-east-1
ecs-cli up --vpc vpc-6548c10d --subnets subnet-46386800,subnet-6648c10e,subnet-6748c10f --cluster-config achievemore --ecs-profile achievemore_ecs
Hope that it could be helpful for you.

Allow awscli in docker inside EC2 without configuration

I have an EC2 with a role that gives it full control over others EC2.
This role allows calling aws ec2 ... without doing the aws configure step.
However, if I install docker and run a docker container inside that EC2, this container is not able to do the aws ec2 ... without configuring the awscli.
Is there some kind of folder to share of feature to enable in order to run awscli commands inside my container without configuring it with an accesskey/password ?
The aws command is utilizing the IAM instance profile assigned to the EC2 instance, which it is obtaining via the EC2 metadata service. You would need to share that metadata with the Docker container somehow.
Are you using the AWS ECS service? Or are you manually installing and managing docker on an EC2 instance? ECS handles this for you.
Otherwise you might look into something like this Lyft project designed to proxy the EC2 IAM role to the Docker container.

Fetch external link of ecs task running from aws cli

How to fetch the external link of aws ecs task running which has the public ip of container instance and port of the task running?
I am managing task/service execution from cli and would like to fetch the external link which is shown in the aws UI from aws cli. I tried describe-tasks command of aws cli but it doesn't return the public IP address of the instance the task is running on.
Is there a way to fetch the same from aws cli?
Thanks in advance!
This is quite the pain in the neck, but it will do what you want:
List your tasks by service name
aws ecs list-tasks --cluster mycluster --service-name my-service-name
Get the details of a task using the task ARN from the above.
aws ecs describe-tasks --cluster mycluster --tasks arn:aws:ecs:us-east-1:999999999999:task/ad0ba3e9-ac3b-4a4c-a1af-de3e06f46dfa
The task description includes two pieces of information you need: the network bindings, which includes the port (look for the one that is mapped to the service port you care about), and the container instance ARN. (NOT the container ARN. Don't make that mistake and be super-confused when the next step fails, like I did). Using the container instance's ARN, get the details of the container instance:
aws ecs describe-container-instances --cluster mycluster --container-instances arn:aws:ecs:us-east-1:999999999999:container-instance/707e5193-51e3-454b-ba09-9745c5d7f527
As part of this description, you should be able to get the EC2 instance ID & query EC2 for more details:
aws ec2 describe-instances --instance-ids i-c91aee40d92c23b3c
^^^^ NOT ECS
The output of this command should include the private IP of the EC2 instance. This IP + previously computed port should correspond to the external link from the web UI.
NOTE: Data has been anonymized, but should still LOOK like what you can expect to see. Also I omitted AWS region and profile params, which I have set to defaults using environment variables.
This should show your Ingress IP address which is a public URL and is typically then mapped to your domain as a Type A record using AWS route53 console so your users can reach same just using your URL domain.com/lalala
aws ecs describe-services --service my-http-service
to discover this command and others generally the aws command line tool is actually very friendly ... just issue
aws help
then view that top level list of available subcommands then drill down by issuing
aws ecs help
and repeat above burrowing deeper into the available commands until you reach what could work ... as in
ecs ecs describe-services help
You can get to the answer you want by running:
aws ecs describe-tasks --cluster foo --tasks 8591006e-6f05-4886-bc4a-58d9063d3852
This will contain the networkBindings section like this:
"networkBindings": [
{
"protocol": "tcp",
"bindIP": "0.0.0.0",
"containerPort": 7000,
"hostPort": 32769
},
{
"protocol": "tcp",
"bindIP": "0.0.0.0",
"containerPort": 7001,
"hostPort": 32768
}
]
Then you're golden!

AWS spot price history coming empty

I got AWS CLI tools and account on AWS. I ran the command aws configure and set the AWS Access key, AWS secret key, region and output format. Now when I am running the command
aws ec2 describe-spot-price-history --instance-type m1.xlarge --product-description "Linux/Unix"
I get the output empty
{
"SpotPriceHistory": []
}
I have tried it with multiple instance types, giving start time and end time etc.
Please can someone help me on this.
Are you sure your account supports launching an ec2-classic instance ?
If you created your account after 2013-12-04, it supports EC2-VPC only and to retrieve the information you will need to specify that you want ec2 instances from VPC
aws ec2 describe-spot-price-history --product-description "Linux/UNIX (Amazon VPC)" --instance-type m1.xlarge