Install on Amazon ECS
Last updated
Was this helpful?
Last updated
Was this helpful?
The Steadybit Agent can be installed on Amazon Elastic Container Service.
and needs to run in privileged mode and network mode host
is required for the extensions.
You need to have an ECS cluster running with at least one EC2 instance.
You need to know the (private) Subnet-IDs where you want to place the agent and extension tasks.
The security group used by the ec2 instances need to allow inbound traffic to the extension-host
and extension-container
(ports 8085 and 8086) as they are running as daemon service using the host network.
Copy the required Files
The agent needs some permissions to be able to look up extensions running in the cluster. Create a IAM role for the agent task with the following permissions:
Replace all placeholders in the JSON files with your values. All placeholders are prefixed with MY-
. Take care, the placeholders are used multiple times in the JSON files.
MY-AGENT-KEY
: Your agent key
MY-CLUSTER-NAME
: The name of your ECS cluster
MY-PLATFORM-URL
: The URL of your Steadybit platform, for SaaS use https://platform.steadybit.com
MY-REGION
: The AWS region where your ECS cluster is running
MY-ACCOUNT
: The AWS account ID
Register the Task Definitions
Create the Services
Agent - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow outbound traffic to the Steadybit platform and to the extensions (ports 8080-8099).
Extension Host - please replace the cluster-name. The extension will use the host network strategy and use the security groupd and subnets of your ec2 instances.
Extension Container - please replace the cluster-name. The extension will use the host network strategy and use the security groupd and subnets of your ec2 instances.
Extension HTTP - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow inbound traffic to the extension (port 8085) and outbound traffic to all ports/destination you want to reach out with the http checks implemented in the extension.
Extension AWS - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow inbound traffic to the extension (port 8085)
The agent and most of the extensions can be run as an ECS service in Fargate.
Copy the required Files
The agent needs some permissions to be able to look up extensions running in the cluster. Create a IAM role for the agent task with the following permissions:
Fargate tasks needs a task execution role to be able to write logs. If you don't already have an existing role, you can create one via:
Replace all placeholders in the JSON files with your values. All placeholders are prefixed with MY-
. Take care, the placeholders are used multiple times in the JSON files.
MY-AGENT-KEY
: Your agent key
MY-CLUSTER-NAME
: The name of your ECS cluster
MY-PLATFORM-URL
: The URL of your Steadybit platform, for SaaS use https://platform.steadybit.com
MY-REGION
: The AWS region where your ECS cluster is running
MY-ACCOUNT
: The AWS account ID
Register the Task Definitions
Create the Services
Agent - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow outbound traffic to the Steadybit platform and to the extensions (ports 8080-8099).
Extension HTTP - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow inbound traffic to the extension (port 8085) and outbound traffic to all ports/destination you want to reach out with the http checks implemented in the extension.
Extension AWS - please replace the cluster-name, subnet-ids, and security-group-id with your values. The security group needs to allow inbound traffic to the extension (port 8085)
Q: How can I update the agent/extensions and force pulling a new image version when using latest
?
A: aws ecs update-service --cluster <your-cluster> --service <your-service> --force-new-deployment
Q: Can I shell into the agent/extension tasks?
You need to allow update your service to allow it, e.g.: aws ecs update-service --service steadybit-agent --cluster <your-cluster> --enable-execute-command
The task role needs the following permissions:
ssmmessages:CreateControlChannel
ssmmessages:CreateDataChannel
ssmmessages:OpenControlChannel
ssmmessages:OpenDataChannel
The task definition needs to include initProcessEnabled
in the linuxParameters
, e.g:
After that, you can shell into the agent task with aws ecs execute-command --cluster <your-cluster> --task <your-task-id> --container <container-name> --interactive --command "/bin/bash"
If you like to install the extension-aws
you need to create a new IAM role with the following permissions. Please have a look at the for the latest list of required permissions.
However, and are not compatible with AWS Fargate because they require access to the underlying compute instance which is not possible with Fargate.
can also be used with Fargate and offers some alternative actions to discover and attack ECS resources.
If you like to install the extension-aws
you need to create a new IAM role with the following permissions. Please have a look at the for the latest list of required permissions.
A: Yes, with ECS Exec, details can be found , short summary below: