chore(aws/ecs): review executing commands in tasks' containers

2026-02-09 05:44:23 +00:00 · 2025-05-02 22:05:55 +02:00
parent 6ed8b74636
commit 62427336ef
2 changed files with 24 additions and 14 deletions
--- a/computing/aws/ecs.md
+++ b/computing/aws/ecs.md
@@ -401,7 +401,7 @@ Whe whole procedure is transparent and does **not** compel requirements changes
 Requirements:

 - The required SSM components must be available on the EC2 instances hosting the container.
-  Amazon's ECS optimized AMI and Fargate 1.4 include their latest version already.
+  Amazon's ECS optimized AMI and Fargate 1.4.0+ include their latest version already.
 - The container's image must have `script` and `cat` installed.<br/>
  Required in order to have command logs uploaded correctly to S3 and/or CloudWatch.
 - The task's role (**not** the Task's _execution_ role) must have specific permissions assigned.
@@ -438,26 +438,32 @@ Requirements:
                  "logs:DescribeLogStreams",
                  "logs:PutLogEvents"
              ],
-              "Resource": "arn:aws:logs:eu-west-1:012345678901:log-group:/ecs/log-group-name:*"
+              "Resource": [
+                  "arn:aws:logs:eu-west-1:012345678901:log-group:log-group-name",
+                  "arn:aws:logs:eu-west-1:012345678901:log-group:log-group-name:log-stream:log-stream-name"
+              ]
          },
          {
-              "Sid": "OptionalGlobalS3Permissions",
+              "Sid": "OptionalS3PermissionsIfSSMRecordsLogsInBuckets",
              "Effect": "Allow",
-              "Action": "s3:GetEncryptionConfiguration",
-              "Resource": "arn:aws:s3:::ecs-exec-bucket"
+              "Action": [
+                  "s3:GetEncryptionConfiguration",
+                  "s3:PutObject"
+              ],
+              "Resource": [
+                  "arn:aws:s3:::ecs-exec-bucket",
+                  "arn:aws:s3:::ecs-exec-bucket/session-logs/*"
+              ]
          },
          {
-              "Sid": "OptionalSpecificS3Permissions",
+              "Sid": "OptionalKMSPermissionsIfSSMRecordsLogsInEncryptedBuckets",
              "Effect": "Allow",
-              "Action": "s3:PutObject",
-              "Resource": "arn:aws:s3:::ecs-exec-bucket/*"
-          },
-          {
-              "Sid": "OptionalKMSPermissions",
-              "Effect": "Allow",
-              "Action": "kms:Decrypt",
+              "Action": [
+                  "kms:Decrypt",
+                  "kms:GenerateDataKey"
+              ],
              "Resource": "arn:aws:kms:eu-west-1:012345678901:key/abcdef01-2345-6789-abcd-ef0123456789"
-          }
+          },
      ]
  }
  ```
--- a/snippets/aws/other
+++ b/snippets/aws/other
@@ -169,6 +169,10 @@ aws ecs execute-command --cluster 'staging' --task 'e242654518cf42a7be13a8551e0b
 	--interactive --command 'nc -vz 127.0.0.1 28080'
 aws ecs execute-command --cluster 'staging' --task '0123456789abcdefghijklmnopqrstuv' --container 'pihole' \
 	--interactive --command "dd if=/dev/zero of=/spaceHogger count=16048576 bs=1024"
+# Execute commands in tasks given their service name
+aws ecs list-tasks --cluster 'staging' --service-name 'prometheus' --query 'taskArns' --output 'text' \
+| xargs -I '%%' aws ecs execute-command --cluster 'staging' --task '%%' --container 'prometheus' \
+	--interactive --command 'nc -vz 127.0.0.1 9090'

 # Stop tasks given a service name
 aws ecs list-tasks --cluster 'staging' --service-name 'mimir' --query 'taskArns' --output 'text' \