traefik/docs/content/providers/ecs.md

# Traefik & AWS ECS

A Story of Labels & Elastic Containers
{: .subtitle }

Attach labels to your ECS containers and let Traefik do the rest!

## Configuration Examples

??? example "Configuring ECS provider"

    Enabling the ECS provider:
    
    ```toml tab="File (TOML)"
    [providers.ecs]
    ```
    
    ```yaml tab="File (YAML)"
    providers:
      ecs: {}
    ```
    
    ```bash tab="CLI"
    --providers.ecs=true
    ```

## Policy

Traefik needs the following policy to read ECS information:

```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TraefikECSReadAccess",
            "Effect": "Allow",
            "Action": [
                "ecs:ListClusters",
                "ecs:DescribeClusters",
                "ecs:ListTasks",
                "ecs:DescribeTasks",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeTaskDefinition",
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
```

## Provider configuration

### `autoDiscoverClusters`

_Optional, Default=false_

```toml tab="File (TOML)"
[providers.ecs]
  autoDiscoverClusters = true
  # ...
```

```yaml tab="File (YAML)"
providers:
  ecs:
    autoDiscoverClusters: true
    # ...
```

```bash tab="CLI"
--providers.ecs.autoDiscoverClusters=true
# ...
```

Search for services in clusters list.

- If set to `true` the configured clusters will be ignored and the clusters will be discovered.
- If set to `false` the services will be discovered only in configured clusters.

### `clusters`

_Optional, Default=["default"]_

```toml tab="File (TOML)"
[providers.ecs]
  cluster = ["default"]
  # ...
```

```yaml tab="File (YAML)"
providers:
  ecs:
    clusters:
      - default
    # ...
```

```bash tab="CLI"
--providers.ecs.clusters=default
# ...
```

Search for services in clusters list.

### `exposedByDefault`

_Optional, Default=true_

```toml tab="File (TOML)"
[providers.ecs]
  exposedByDefault = false
  # ...
```

```yaml tab="File (YAML)"
providers:
  ecs:
    exposedByDefault: false
    # ...
```

```bash tab="CLI"
--providers.ecs.exposedByDefault=false
# ...
```

Expose ECS services by default in Traefik.
If set to false, services that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.

### `defaultRule`

_Optional, Default=```Host(`{{ normalize .Name }}`)```_

```toml tab="File (TOML)"
[providers.ecs]
  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
  # ...
```

```yaml tab="File (YAML)"
providers:
  ecs:
    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
    # ...
```

```bash tab="CLI"
--providers.ecs.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
# ...
```

For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
It must be a valid [Go template](https://golang.org/pkg/text/template/),
augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
The service name can be accessed as the `Name` identifier,
and the template has access to all the labels defined on this container.

### `refreshSeconds`

_Optional, Default=15_

```toml tab="File (TOML)"
[providers.ecs]
  refreshSeconds = 15
  # ...
```

```yaml tab="File (YAML)"
providers:
  ecs:
    refreshSeconds: 15
    # ...
```

```bash tab="CLI"
--providers.ecs.refreshSeconds=15
# ...
```

Polling interval (in seconds).

### Credentials

_Optional_

```toml tab="File (TOML)"
[providers.ecs]
  region = "us-east-1"
  accessKeyID = "abc"
  secretAccessKey = "123"
```

```yaml tab="File (YAML)"
providers:
  ecs:
    region: us-east-1
    accessKeyID: "abc"
    secretAccessKey: "123"
    # ...
```

```bash tab="CLI"
--providers.ecs.region="us-east-1"
--providers.ecs.accessKeyID="abc"
--providers.ecs.secretAccessKey="123"
# ...
```

If `region` is not provided, it will be resolved from the EC2 metadata endpoint for EC2 tasks. 
In a FARGATE context it will be resolved from the `AWS_REGION` env variable.

If `accessKeyID` / `secretAccessKey` are not provided, credentials will be resolved in the following order:

- From environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
- Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to default and `~/.aws/credentials`.
- EC2 instance role or ECS task role
Add AWS ECS provider * add ecs provider * add ecs docs * fix test after rebase * add provider icon * add missing addProvider call * Fix for review * Fix documentation * Fix for review * Fix documentation * fix ctx usage * autoDiscoverClusters setDefaults false * Fix for review * review: doc. * Fix for review: add ctx in backoff retry * review: linter. Co-authored-by: Michael <michael.matur@gmail.com> Co-authored-by: romain <romain@containo.us> Co-authored-by: Fernandez Ludovic <ludovic@containo.us> 2020-07-15 14:28:04 +00:00			`# Traefik & AWS ECS`

			`A Story of Labels & Elastic Containers`
			`{: .subtitle }`

			`Attach labels to your ECS containers and let Traefik do the rest!`

			`## Configuration Examples`

			`??? example "Configuring ECS provider"`

			`Enabling the ECS provider:`

			```toml tab="File (TOML)"
			`[providers.ecs]`
			```

			```yaml tab="File (YAML)"
			`providers:`
Fix missing allow-empty tag on ECS and Consul Catalog providers Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com> 2020-11-18 23:12:03 +00:00			`ecs: {}`
Add AWS ECS provider * add ecs provider * add ecs docs * fix test after rebase * add provider icon * add missing addProvider call * Fix for review * Fix documentation * Fix for review * Fix documentation * fix ctx usage * autoDiscoverClusters setDefaults false * Fix for review * review: doc. * Fix for review: add ctx in backoff retry * review: linter. Co-authored-by: Michael <michael.matur@gmail.com> Co-authored-by: romain <romain@containo.us> Co-authored-by: Fernandez Ludovic <ludovic@containo.us> 2020-07-15 14:28:04 +00:00			```

			```bash tab="CLI"
Fix missing allow-empty tag on ECS and Consul Catalog providers Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com> 2020-11-18 23:12:03 +00:00			`--providers.ecs=true`
Add AWS ECS provider * add ecs provider * add ecs docs * fix test after rebase * add provider icon * add missing addProvider call * Fix for review * Fix documentation * Fix for review * Fix documentation * fix ctx usage * autoDiscoverClusters setDefaults false * Fix for review * review: doc. * Fix for review: add ctx in backoff retry * review: linter. Co-authored-by: Michael <michael.matur@gmail.com> Co-authored-by: romain <romain@containo.us> Co-authored-by: Fernandez Ludovic <ludovic@containo.us> 2020-07-15 14:28:04 +00:00			```

			`## Policy`

			`Traefik needs the following policy to read ECS information:`

			```json
			`{`
			`"Version": "2012-10-17",`
			`"Statement": [`
			`{`
			`"Sid": "TraefikECSReadAccess",`
			`"Effect": "Allow",`
			`"Action": [`
			`"ecs:ListClusters",`
			`"ecs:DescribeClusters",`
			`"ecs:ListTasks",`
			`"ecs:DescribeTasks",`
			`"ecs:DescribeContainerInstances",`
			`"ecs:DescribeTaskDefinition",`
			`"ec2:DescribeInstances"`
			`],`
			`"Resource": [`
			`"*"`
			`]`
			`}`
			`]`
			`}`
			```

			`## Provider configuration`

			### `autoDiscoverClusters`

			`_Optional, Default=false_`

			```toml tab="File (TOML)"
			`[providers.ecs]`
			`autoDiscoverClusters = true`
			`# ...`
			```

			```yaml tab="File (YAML)"
			`providers:`
			`ecs:`
			`autoDiscoverClusters: true`
			`# ...`
			```

			```bash tab="CLI"
			`--providers.ecs.autoDiscoverClusters=true`
			`# ...`
			```

Fix documenation for ECS 2020-07-28 08:44:05 +00:00			`Search for services in clusters list.`

			- If set to `true` the configured clusters will be ignored and the clusters will be discovered.
			- If set to `false` the services will be discovered only in configured clusters.

			### `clusters`

			`_Optional, Default=["default"]_`

			```toml tab="File (TOML)"
			`[providers.ecs]`
			`cluster = ["default"]`
			`# ...`
			```

			```yaml tab="File (YAML)"
			`providers:`
			`ecs:`
			`clusters:`
			`- default`
			`# ...`
			```

			```bash tab="CLI"
			`--providers.ecs.clusters=default`
			`# ...`
			```

			`Search for services in clusters list.`
Add AWS ECS provider * add ecs provider * add ecs docs * fix test after rebase * add provider icon * add missing addProvider call * Fix for review * Fix documentation * Fix for review * Fix documentation * fix ctx usage * autoDiscoverClusters setDefaults false * Fix for review * review: doc. * Fix for review: add ctx in backoff retry * review: linter. Co-authored-by: Michael <michael.matur@gmail.com> Co-authored-by: romain <romain@containo.us> Co-authored-by: Fernandez Ludovic <ludovic@containo.us> 2020-07-15 14:28:04 +00:00
			### `exposedByDefault`

			`_Optional, Default=true_`

			```toml tab="File (TOML)"
			`[providers.ecs]`
			`exposedByDefault = false`
			`# ...`
			```

			```yaml tab="File (YAML)"
			`providers:`
			`ecs:`
			`exposedByDefault: false`
			`# ...`
			```

			```bash tab="CLI"
			`--providers.ecs.exposedByDefault=false`
			`# ...`
			```

			`Expose ECS services by default in Traefik.`
			If set to false, services that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.

			### `defaultRule`

			_Optional, Default=```Host(`{{ normalize .Name }}`)```_

			```toml tab="File (TOML)"
			`[providers.ecs]`
			defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
			`# ...`
			```

			```yaml tab="File (YAML)"
			`providers:`
			`ecs:`
			defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
			`# ...`
			```

			```bash tab="CLI"
			--providers.ecs.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
			`# ...`
			```

			`For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.`
			`It must be a valid [Go template](https://golang.org/pkg/text/template/),`
			`augmented with the [sprig template functions](http://masterminds.github.io/sprig/).`
			The service name can be accessed as the `Name` identifier,
			`and the template has access to all the labels defined on this container.`

			### `refreshSeconds`

			`_Optional, Default=15_`

			```toml tab="File (TOML)"
			`[providers.ecs]`
			`refreshSeconds = 15`
			`# ...`
			```

			```yaml tab="File (YAML)"
			`providers:`
			`ecs:`
			`refreshSeconds: 15`
			`# ...`
			```

			```bash tab="CLI"
			`--providers.ecs.refreshSeconds=15`
			`# ...`
			```

			`Polling interval (in seconds).`

			`### Credentials`

			`_Optional_`

			```toml tab="File (TOML)"
			`[providers.ecs]`
			`region = "us-east-1"`
			`accessKeyID = "abc"`
			`secretAccessKey = "123"`
			```

			```yaml tab="File (YAML)"
			`providers:`
			`ecs:`
			`region: us-east-1`
			`accessKeyID: "abc"`
			`secretAccessKey: "123"`
			`# ...`
			```

			```bash tab="CLI"
			`--providers.ecs.region="us-east-1"`
			`--providers.ecs.accessKeyID="abc"`
			`--providers.ecs.secretAccessKey="123"`
			`# ...`
			```

Improve region resolution for ECS provider Co-authored-by: Romain <rtribotte@users.noreply.github.com> 2020-08-05 09:52:03 +00:00			If `region` is not provided, it will be resolved from the EC2 metadata endpoint for EC2 tasks.
			In a FARGATE context it will be resolved from the `AWS_REGION` env variable.

			If `accessKeyID` / `secretAccessKey` are not provided, credentials will be resolved in the following order:
Add AWS ECS provider * add ecs provider * add ecs docs * fix test after rebase * add provider icon * add missing addProvider call * Fix for review * Fix documentation * Fix for review * Fix documentation * fix ctx usage * autoDiscoverClusters setDefaults false * Fix for review * review: doc. * Fix for review: add ctx in backoff retry * review: linter. Co-authored-by: Michael <michael.matur@gmail.com> Co-authored-by: romain <romain@containo.us> Co-authored-by: Fernandez Ludovic <ludovic@containo.us> 2020-07-15 14:28:04 +00:00
			- From environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
			- Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to default and `~/.aws/credentials`.
			`- EC2 instance role or ECS task role`