Traefik & AWS ECS

Attach labels to your ECS containers and let Traefik do the rest!

Configuring ECS provider

Enabling the ECS provider:

File (YAML)

File (TOML)

[providers.ecs]

CLI

--providers.ecs=true

Traefik needs the following policy to read ECS information:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TraefikECSReadAccess",
            "Effect": "Allow",
            "Action": [
                "ecs:ListClusters",
                "ecs:DescribeClusters",
                "ecs:ListTasks",
                "ecs:DescribeTasks",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeTaskDefinition",
                "ec2:DescribeInstances",
                "ssm:DescribeInstanceInformation"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

ECS Anywhere

Please note that the ssm:DescribeInstanceInformation action is required for ECS anywhere instances discovery.

Optional, Default=false

Search for services in cluster list.

• If set to true service discovery is enabled for all clusters.
• If set to false service discovery is enabled on configured clusters only.

File (YAML)

providers:
  ecs:
    # ...

File (TOML)

[providers.ecs]
  autoDiscoverClusters = true
  # ...

CLI

--providers.ecs.autoDiscoverClusters=true
# ...

ecsAnywhere

Optional, Default=false

Enable ECS Anywhere support.

• If set to true service discovery is enabled for ECS Anywhere instances.
• If set to false service discovery is disabled for ECS Anywhere instances.

File (YAML)

  ecs:
    ecsAnywhere: true
    # ...

[providers.ecs]
  ecsAnywhere = true
  # ...

CLI

--providers.ecs.ecsAnywhere=true
# ...

Optional, Default=[“default”]

Search for services in cluster list. This option is ignored if autoDiscoverClusters is set to true.

File (YAML)

providers:
  ecs:
    clusters:
      - default
    # ...

File (TOML)

CLI

--providers.ecs.clusters=default
# ...

exposedByDefault

Optional, Default=true

Expose ECS services by default in Traefik.

If set to false, services that do not have a traefik.enable=true label are ignored from the resulting routing configuration.

File (YAML)

providers:
  ecs:
    exposedByDefault: false
    # ...

File (TOML)

[providers.ecs]
  exposedByDefault = false
  # ...

CLI

--providers.ecs.exposedByDefault=false
# ...

Optional, Default=””

The constraints option can be set to an expression that Traefik matches against the container labels (task), to determine whether to create any route for that container. If none of the container labels match the expression, no route for that container is created. If the expression is empty, all detected containers are included.

The expression syntax is based on the Label("key", "value"), and LabelRegex("key", "value") functions, as well as the usual boolean logic, as shown in examples below.

Constraints Expression Examples

# Includes only containers having a label with key `a.label.name` and value `foo`
constraints = "Label(`a.label.name`, `foo`)"

# Excludes containers having any label with key `a.label.name` and value `foo`
constraints = "!Label(`a.label.name`, `value`)"

# With logical AND.
constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"

constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"

# With logical AND and OR, with precedence set by parentheses.
constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"

# Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
constraints = "LabelRegex(`a.label.name`, `a.+`)"

For additional information, refer to Restrict the Scope of Service Discovery.

File (TOML)

  constraints = "Label(`a.label.name`,`foo`)"
  # ...

CLI

--providers.ecs.constraints=Label(`a.label.name`,`foo`)
# ...

defaultRule

Optional, Default=Host(`{{ normalize .Name }}`)

The defaultRule option defines what routing rule to apply to a container if no rule is defined by a label.

It must be a valid Go template, and can use . The container service name can be accessed with the Name identifier, and the template has access to all the labels defined on this container.

File (YAML)

providers:
  ecs:
    defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
    # ...

File (TOML)

[providers.ecs]
  defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
  # ...

CLI

--providers.ecs.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
# ...

Optional, Default=15

Polling interval (in seconds).

File (YAML)

providers:
  ecs:
    refreshSeconds: 15
    # ...

File (TOML)

[providers.ecs]
  refreshSeconds = 15
  # ...

CLI

--providers.ecs.refreshSeconds=15
# ...

Credentials

Optional

If region is not provided, it is resolved from the EC2 metadata endpoint for EC2 tasks. In a FARGATE context it is resolved from the AWS_REGION environment variable.

If accessKeyID and secretAccessKey are not provided, credentials are resolved in the following order:

• Using the environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.
• Using shared credentials, determined by AWS_PROFILE and AWS_SHARED_CREDENTIALS_FILE, defaults to default and ~/.aws/credentials.
• Using EC2 instance role or ECS task role

File (YAML)

providers:
  ecs:
    region: us-east-1
    accessKeyID: "abc"
    secretAccessKey: "123"
    # ...

[providers.ecs]
  region = "us-east-1"
  secretAccessKey = "123"

CLI