search

bertrandmartel / aws-ssm-session

Javascript library for starting an AWS SSM session compatible with Browser and NodeJS
MIT License
50 stars 9 forks source link

Unable to use with ECS tasks #9

Closed natemellendorf closed 3 years ago

natemellendorf commented 3 years ago

I’m not sure if this is really a bug with aws-ssm-session, but I wanted to get your thoughts.

I’ve tested this project against SSM agents running on instances, and that works fine.

Recently, AWS added SSM support for ECS tasks. Using the AWS CLI, you can connect to them just fine, as they too leverage an SSM agent.

You can request the WSS URL and token via this endpoint: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/ECS.html#executeCommand-property

However, using aws-ssm-session, I’m unable to connect to an ECS task. I’ve tried via the web client and the node script. I can connect to these tasks just fine though, when using the AWS CLI command: https://aws.amazon.com/blogs/containers/new-using-amazon-ecs-exec-access-your-containers-fargate-ec2/

Do you think this is something that could be added / supported to aws-ssm-session, or do you think this is a bug on the AWS side of things?

bertrandmartel commented 3 years ago

@natemellendorf I've added a node script to reproduce the issue.

node ./scripts/generate-session-ecs.js

I'm investigating

natemellendorf commented 3 years ago

@bertrandmartel Thanks! I’ll keep an eye out for your update. If there’s anything more I can provide, just let me know. I greatly appreciate you taking a look.

bertrandmartel commented 3 years ago

@natemellendorf I've found that AWS cli was using the same request as AWS SDK. But aws cli is also passing the Target field to session-manager-plugin, but with the following value:

target = "ecs:{}_{}_{}".format(cluster_name, task_id, container_runtime_id)
ssm_request_params = {"Target": target}

I've tried using this instead of the instance ID for EC2, and it works by using ssm.startSession({target: "ecs:..._..._..."}) to generate the stream information

It's not clear though how session-manager-plugin is using this target field and how it uses the streamUrl provided by the first API call. But I didn't notice any problem using the startSession with the above target.

There is one thing that could be annoying, it's the fact that there is a limitation of 2 simultaneous connections on ECS tasks which is not by default on EC2 (if I remember). You would need to check that the connection are correctly terminated (either by exit command or using the api aws ssm terminate-session --session-id [SESSION_ID].

I've updated the nodejs script for ECS tasks 

node ./scripts/generate-session-ecs.js

and I've added some note in the readme about ECS tasks and terminating the connections

natemellendorf commented 3 years ago

@bertrandmartel Thanks for looking into this, and sorting through the changes and testing through to a solution! I’m going to take your findings and perform more testing this weekend / early next week.

If I discover any discrepancies or can provide additional feedback, I’ll be sure to report it here.

Again, thank you for taking the time to assist. Your time and input is very much appreciated!

Edit: I’ve tested with the new scripts provided, and can confirm that I can access ECS tasks via node CLI and the Web examples. Thanks again!