README
¶
ecs-fargate-login
A simple tool to get an ephemeral CLI in a ECS Fargate task.
$ go get -u github.com/keichan34/ecs-fargate-login
Use cases
- Serverless bastion host.
- A way to get an application console (like
rails console) in staging / production.
How it works
The high level outline is:
ecs-fargate-logincreates a one-time use RSA key pair.ecs-fargate-loginstarts a SSH server task in Fargate.- When the task has booted,
ecs-fargate-loginlogs in to the SSH server. - The SSH server shuts itself down when the user logs off.
A script (server/start-sshd.sh) and openssh-server are installed in the
Dockerfile for the SSH server. The CLI service should have its own dedicated
task definition (an example is included in server/task-definition.json).
When ecs-fargate-login boots this task definition, start-sshd.sh will perform
some initial setup, such as reading environment variables in to /etc/environment
(because SSH will strip them out otherwise), and authorizing the one-time RSA key
pair by passing the public key in the _AUTHORIZED_PUBLIC_KEY environment variable.
When the task has been booted, ecs-fargate-login will start ssh and the session
is created.
When the session ends, ecs-fargate-login deletes the one-time private key, and
the server will shut itself down.
Requirements
In AWS:
- A security group that allows inbound SSH access (port 22) from the machine you're using.
- A task definition that is set up to run the SSH server.
On the server:
openssh-serverstart-sshd.sh(see example in theserverdirectory)
On the interactive client:
ecs-fargate-login- Access to AWS
ecs:RunTaskfor the ARN of the task definition the tool will use to boot.ecs:DescribeTasksfor all tasksec2:DescribeNetworkInterfaces(only supports a resource of*)iam:PassRolefor both the execution task role (the role AWS Fargate uses to start the task) and the task role (the role the task assumes when running)
Quick Start
- Create 2 ECS task IAM roles: one for the running task, and one for the task execution.
Put the ARNs in the task definition, using
server/task-definition.jsonas a template. - Register the task definition. The template uses
test-cli, but you can choose any name you like. - Get the VPC Security Group ID (
sg-) of a security group that allows port 22 incoming from the client you plan on logging in from. - Get the VPC Subnet ID(s) of a public subnet you want to launch this instance in to.
- Run
ecs-fargate-login:ecs-fargate-login -n test-cli -sg sg-1234,sg-4321 -sn subnet-1234,subnet-4321
Documentation
¶
Overview ¶
Copyright © 2019 Keitaroh Kobayashi
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Source Files
Directories