ECS Commands
For information about the ECS Server functionality, see the ecs-server page.
Commands
setup ecs
setup ecs auth
Configures the HTTP Authentication BearerToken. Once set, all future client
requests to the ECS Server will need to provide the correct credentials.
aws-sso
utilizing the same SecureStore as the ECS Server will automatically
provide the necessary HTTP Auth header, but other AWS clients utilizing the
AWS SDK will require $AWS_CONTAINER_AUTHORIZATION_TOKEN to be set.
Flags:
--bearer-token
-- Specify the bearer token secret.--delete
-- Delete the bearer token and disable authentication.
setup ecs ssl
Configures the SSL Certificate and Private Key to enable SSL/TLS. Saves the SSL certificate and private key to the SecureStore.
Note: At this time, this feature is not recommended due to a bug in the AWS SDK.
Flags:
--delete
-- Disables SSL and deletes both the SSL certificate and private key from the Secure Store--print
-- Prints the SSL certificate--certificate
-- Path to SSL certificate file in PEM format--private-key
-- Path to SSL private key in PEM format
ecs docker start
Starts the ECS Server in a Docker container.
Flags:
--disable-auth
-- Disables HTTP Auth, even if a bearer token is available--disable-ssl
-- Disables SSL/TLS, even if a certificate and private key are available.--bind-ip
-- IP address to bind the service to. (default 127.0.0.1)--port
-- Port to listen on. (default 4144)--image
-- Docker image to use. (defaultsynfinatic/aws-sso-cli-ecs-version
)--version
-- Version of the docker image to use (default matchesaws-sso
binary version)
ecs docker stop
Stops the ECS Server Docker container.
ecs list
List the AWS Profiles stored in the ECS Server.
Flags:
--server
-- host:port of the ECS Server (defaultlocalhost:4144
)
ecs load
Load the AWS IAM Role credentials into the ECS Server for clients to use.
Flags:
--arn <arn>
,-a
-- ARN of role to assume ($AWS_SSO_ROLE_ARN
)--account <account>
,-A
-- AWS AccountID of role to assume ($AWS_SSO_ACCOUNT_ID
)--role <role>
,-R
-- Name of AWS Role to assume (requires--account
) ($AWS_SSO_ROLE_NAME
)--profile <profile>
,-p
-- Name of AWS Profile to assume--server
-- host:port of the ECS Server (defaultlocalhost:4144
)--slotted
-- Load the IAM credentials into a unique slot using the ProfileName as the key
You can provide --profile
or --arn
or (--account
and --role
) to specify the IAM role to load.
If you do not specify --slotted
, the role will be loaded into the default URL path at /
. If you
would like to load multiple roles, specify --slotted
and the role will be loaded into /slot/<profile name>
ecs profile
Fetches the ProfileName of the role stored in the default slot of the ECS Server.
Flags:
--slotted
-- Load the IAM credentials into a unique slot using the ProfileName as the key
ecs server
Starts the ECS Server in the foreground.
Flags:
--disable-auth
-- Disables HTTP Authentication, even if a Bearer Token is available--disable-ssl
-- Disables SSL/TLS, even if a certificate and private key are available
ecs unload
Removes the AWS IAM Role credentials from the ECS Server and makes them unavailable to any clients to use.
Flags:
--profile <profile>
,-p
-- Slot of AWS Profile to unload--server
-- host:port of the ECS Server (defaultlocalhost:4144
)
By default, this will unload the IAM credentials for the default role. Passing in
--profile <profile name>
will unload the credentials in the named slot.