AWS ECS Fargate copy local file to container

Question

I can shell (sh) into an AWS Fargate container using the AWS exec
I have tried below workarounds:
* pass through a S3 Bucket to EFS using data sync
*    mounted an EFS shared folder in EC2 instance and the same in container volume (I've to mount EFS folder in instance and upload the file to it from my host...2 steps and shared folder)
However, the requirement is to copy a file from my local machine to a container, and I need to accomplish this using AWS Systems Manager (SSM).

Is it possible to copy a file from local to container mounted with EFS filesystem using SSM on ECS Fargate instances? If so, could you provide some insights or steps to follow? I'd greatly appreciate your guidance on this matter.

Thanks in advance!

Answer

Hi,

If you can connect via shell (I guess over ssh) then you can use scp to copy files to your container instance. See https://linuxize.com/post/how-to-use-scp-command-to-securely-transfer-files/?utm_content=cmp-true

But, be aware of one thing: files copied in a running container are not part of its initial image. The consequence is that next time your container restarts, the file will no longer be present in your container image.

It means that Fargate may restart your image automatically at any time for maintenance purpose and your file will disappear: see https://docs.aws.amazon.com/AmazonECS/latest/userguide/task-maintenance.html

```
AWS is responsible for patching and maintaining the underlying infrastructure 
for AWS Fargate. When AWS determines that a security or infrastructure update 
is needed for an Amazon ECS task hosted on Fargate, the tasks need to be stopped 
and new tasks launched to replace them.
```

Best,

Didier

Answer

Hello.  
I believe that RunCommand can be used by installing SSM Agent on the container to be run by Fargate and registering it with Systems Manager as a Managed Instance.

Also, since the container is not EC2, the advanced-instances tier must be enabled in Systems Manager.  
https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-managedinstances-advanced.html  
SSM Agent can be installed in the Dockerfile as follows.  
```
FROM ubuntu:20.04

WORKDIR /

RUN \
    --mount=type=cache,target=/var/lib/apt/lists \
    --mount=type=cache,target=/var/cache/apt/archives \
    apt-get update \
    && apt-get -y install \
    curl \
    jq \
    unzip

RUN curl https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip \
    && unzip awscliv2.zip \
    && ./aws/install \
    && rm -rf awscliv2.zip ./aws

RUN curl https://s3.ap-northeast-1.amazonaws.com/amazon-ssm-ap-northeast-1/latest/debian_amd64/amazon-ssm-agent.deb -o /tmp/amazon-ssm-agent.deb \
    && dpkg -i /tmp/amazon-ssm-agent.deb \
    && mv /etc/amazon/ssm/amazon-ssm-agent.json.template /etc/amazon/ssm/amazon-ssm-agent.json \
    && mv /etc/amazon/ssm/seelog.xml.template /etc/amazon/ssm/seelog.xml \
    && rm /tmp/amazon-ssm-agent.deb

COPY ./run.sh /run.sh

CMD ["bash", "/run.sh"]
```

run.sh does the following to start SSM Agent, etc.  
```
#!/bin/bash
set -e

ACTIVATION_PARAMETERS=$(aws ssm create-activation \
   --description "Activation Code for Fargate Bastion" \
   --default-instance-name bastion \
   --iam-role "SSM_SERVICE_ROLE_NAME" \
   --registration-limit 1 \
   --tags Key=Type,Value=Bastion \
   --region "region"

SSM_ACTIVATION_ID=$(echo ${ACTIVATION_PARAMETERS} | jq -r .ActivationId)
SSM_ACTIVATION_CODE=$(echo ${ACTIVATION_PARAMETERS} | jq -r .ActivationCode)

service amazon-ssm-agent stop
amazon-ssm-agent -register -code "${SSM_ACTIVATION_CODE}" -id "${SSM_ACTIVATION_ID}" -region "region"
service amazon-ssm-agent start
```

AWS ECS Fargate copy local file to container

Relevant content