Manage container instances remotely using Amazon Systems Manager - Amazon Elastic Container Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Manage container instances remotely using Amazon Systems Manager

You can use the Run Command capability in Amazon Systems Manager (Systems Manager) to securely and remotely manage the configuration of your Amazon ECS container instances. Run Command provides a simple way to perform common administrative tasks without logging on locally to the instance. You can manage configuration changes across your clusters by simultaneously executing commands on multiple container instances. Run Command reports the status and results of each command.

Here are some examples of the types of tasks you can perform with Run Command:

  • Install or uninstall packages.

  • Perform security updates.

  • Clean up Docker images.

  • Stop or start services.

  • View system resources.

  • View log files.

  • Perform file operations.

For more information about Run Command, see Amazon Systems Manager Run Command in the Amazon Systems Manager User Guide.

Run Command IAM policy

Before you can send commands to your container instances with Run Command, you must attach an IAM policy that allows ecsInstanceRole to have access to the Systems Manager APIs. The following procedure describes how to attach the Systems Manager managed policies to your container instance role so that instances launched with this role can use Run Command.

To attach the Systems Manager policies to your ecsInstanceRole

  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Roles.

  3. Choose ecsInstanceRole. If the role does not exist, follow the procedures in Amazon ECS container instance IAM role to create the role.

  4. Choose the Permissions tab.

  5. Choose Attach policies.

  6. To narrow the available policies to attach, for Filter, type SSM.

  7. In the list of policies, select the box next AmazonSSMManagedInstanceCore. This policy enables you to provide the minimum permissions that are necessary to use Systems Manager.

    For information about other policies you can provide for Systems Manager operations, see Create an IAM Instance Profile for Systems Manager in the Amazon Systems Manager User Guide.

  8. Choose Attach Policy.

Using Run Command

After you attach Systems Manager managed policies to your ecsInstanceRole and verify that Amazon Systems Manager Agent (SSM Agent) is installed on your container instances, you can start using Run Command to send commands to your container instances. For information about running commands and shell scripts on your instances and viewing the resulting output, see Running Commands Using Systems Manager Run Command and Run Command Walkthroughs in the Amazon Systems Manager User Guide.

Example: To update container instance software with Run Command

A common use case for Run Command is to update the instance software on your entire fleet of container instances at one time.

  1. Attach Systems Manager managed policies to your ecsInstanceRole.

  2. Verify that SSM Agent is installed on your container instances. For more information, see Manually install SSM Agent on EC2 instances for Linux.

  3. Open the Systems Manager console at https://console.amazonaws.cn/systems-manager.

  4. In the left navigation pane, choose Run Command, and then choose Run command.

  5. For Command document, choose AWS-RunShellScript.

  6. In the Commands section, enter the command or commands to send to your container instances. In this example, the following command updates the instance software:

    $ yum update -y
  7. In the Target instances section, select the boxes next to the container instances where you want to run the update command.

  8. Choose Run to send the command to the specified instances.

  9. (Optional) Choose the refresh icon to monitor the command status.

  10. (Optional) In Targets and output, choose the button next to the instance ID, and then choose View output.