[DOCKER] AWS SSM Agent Launch

Start the SSM agent.

I used Fargate to deploy a Rails application. So, I discovered SSM as a way to enter the server at the terminal with Fargate. I took advantage of this, but I shared it because there was a slight stumbling block.

In my case, the directory structure looks like this. Only Dockerfile.producion and entrypoint.sh are used this time.

• Dockerfile is for development and is used by Dockerfile.production this time. We do not have a staging environment.

/application
L /app
L /bin
  ...
L Dockerfile
L Dockerfile.production
L entrypoint.sh
  ...

1. Create a hybrid activation from entrypoint.sh.

First, you need to create a hybrid activation to start the SSM agent. You can also create it manually from AWS → Systems Manager → Hybrid Activation, but I created the hybrid activation in entrypoint.sh.

entrypoint.sh

SSM_ACTIVATE_INFO=`aws ssm create-activation --iam-role service-role/AmazonEC2RunCommandRoleForManagedInstances --registration-limit 1 --region ap-northeast-1 --default-instance-name medley-blog-fargate-container`

SSM_ACTIVATE_CODE=`echo $SSM_ACTIVATE_INFO | jq -r '.ActivationCode'`
SSM_ACTIVATE_ID=`echo $SSM_ACTIVATE_INFO | jq -r '.ActivationId'`

2. Register a managed instance.

Next, register the managed instance using the hybrid activation created earlier.

entrypoint.sh

#Add the following at the bottom

amazon-ssm-agent -register -code $SSM_ACTIVATE_CODE -id $SSM_ACTIVATE_ID -region "ap-northeast-1"

• If you created the hybrid activation yourself, save the ID and CODE in the environment variables and use them.

3. Start SSM Agent

entrypoint.sh

#Add the following at the bottom
amazon-ssm-agent &

You should now be able to start the SSM agent, but when you try to start it from the ECS task definition, it does not start.

So I thought about starting entrypint.sh from Dockerfile, and when I started it from Dockerfile, it started safely.

Dockerfile.production

COPY entrypoint.sh /usr/bin/
RUN chmod +x /usr/bin/entrypoint.sh
ENTRYPOINT ["entrypoint.sh"]

The cause is not clear, but since the registration of hybrid activation was done from the task definition of ECS, "The Docker container itself is deployed on the ECS side, and the command that just moves the container is in the container. Is it like "No"?

However, it is a mystery because there was an article made from the entry point of the ECS task definition in other articles. If anyone knows, please let me know.

Well, I'm glad that I was able to start it with ENTRY POINT from Dockerfile.

Reference article

https://developer.medley.jp/entry/2020/09/18/180404