Hi does anyone knows if it is possible to use a bastion serv SweetOps #aws

Hi, does anyone knows if it is possible to use a b...

Alencar Junior

02/11/2021, 4:02 PM

Hi, does anyone knows if it is possible to use a bastion server to access containers in AWS Fargate or the best approach to establish secure connections to Fargate containers? I have found some examples of people building SSH containers and exposing it through public IP however, I don't like the idea of having developers using a private key to ssh into those containers. I would appreciate any hint.

Patrick Jahns

02/11/2021, 4:55 PM

Is the Fargate task running in ECS or in EKS? Haven't tried it myself but in EKS it might be possible to use

kubectl exec

for fargate tasks - couldn't find a result in a quick search. https://docs.aws.amazon.com/toolkit-for-jetbrains/latest/userguide/ecs-debug.html seems quite interesting - so it must be possible to connect somehow to fargate tasks

Patrick Jahns

02/11/2021, 4:58 PM

If normal SSH is not an option - how about the reverse principle? Running a sidecar container that connects to a service where you can tunnel to it - I've seen somewhere that someone used AWS SSM (with custom instance registration) for having a "serverless bastion". Can't remember though if he only used it to tunnel into the network, or if he used it to access aspects of the Fargate task

Alencar Junior

02/12/2021, 9:19 AM

Hi @Patrick Jahns, the Fargate task is running in ECS - I will have a look on what you've suggested and maybe try to run the SSM agent as a sidecar or as a Fargate task. Thanks for the hint!

Open in Slack

Previous Next