"name": "environment_variable_name",
"valueFrom": "arn:aws:ssm:region:aws_account_id:parameter/parameter_name"
} ]
Network settings
dnsServers
Type: string array Required: no
A list of DNS servers that are presented to the container. This parameter maps to Dns in the Create a container section of the Docker Remote API and the --dns option to docker run.
NoteThis parameter is not supported for Windows containers or tasks using the awsvpc network mode.
"dnsServers": ["string", ...]
Storage and logging
readonlyRootFilesystem Type: Boolean
Required: no
When this parameter is true, the container is given read-only access to its root file system. This parameter maps to ReadonlyRootfs in the Create a container section of the Docker Remote API and the --read-only option to docker run.
NoteThis parameter is not supported for Windows containers.
"readonlyRootFilesystem": true|false
Container definitions
mountPoints
Type: Object Array Required: No
The mount points for data volumes in your container.
This parameter maps to Volumes in the Create a container section of the Docker Remote API and the --volume option to docker run.
Windows containers can mount whole directories on the same drive as $env:ProgramData.
Windows containers cannot mount directories on a different drive, and mount point cannot be across drives.
sourceVolume Type: String
Required: Yes, when mountPoints are used The name of the volume to mount.
containerPath Type: String
Required: Yes, when mountPoints are used The path on the container to mount the volume at.
readOnly Type: Boolean Required: No
If this value is true, the container has read-only access to the volume. If this value is false, then the container can write to the volume. The default value is false.
volumesFrom
Type: Object Array Required: No
Data volumes to mount from another container. This parameter maps to VolumesFrom in the Create a container section of the Docker Remote API and the --volumes-from option to docker run.
sourceContainer Type: string
Required: yes, when volumesFrom is used
The name of the container to mount volumes from.
readOnly Type: Boolean Required: no
If this value is true, the container has read-only access to the volume. If this value is false, then the container can write to the volume. The default value is false.
"volumesFrom": [
Container definitions
{
"sourceContainer": "string", "readOnly": true|false }
]
logConfiguration
Type: LogConfiguration Object Required: no
The log configuration specification for the container.
For example task definitions using a log configuration, see Example task definitions (p. 162).
This parameter maps to LogConfig in the Create a container section of the Docker Remote API and the --log-driver option to docker run. By default, containers use the same logging driver that the Docker daemon uses; however the container may use a different logging driver than the Docker daemon by specifying a log driver with this parameter in the container definition. To use a different logging driver for a container, the log system must be configured properly on the container instance (or on a different log server for remote logging options). For more information on the options for different supported log drivers, see Configure logging drivers in the Docker documentation.
The following should be noted when specifying a log configuration for your containers:
• Amazon ECS currently supports a subset of the logging drivers available to the Docker daemon (shown in the valid values below). Additional log drivers may be available in future releases of the Amazon ECS container agent.
• This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.
• For tasks using the Fargate launch type, because you do not have access to the underlying infrastructure your tasks are hosted on, any additional software needed will have to be installed outside of the task. For example, the Fluentd output aggregators or a remote host running Logstash to send Gelf logs to.
"logConfiguration": {
"logDriver":
"awslogs","fluentd","gelf","json-file","journald","logentries","splunk","syslog","awsfirelens", "options": {"string": "string"
...},
"secretOptions": [{
"name": "string", "valueFrom": "string"
}]}
logDriver Type: string
Valid values:
"awslogs","fluentd","gelf","json-file","journald","logentries","splunk","syslog","awsfirelens"
Required: yes, when logConfiguration is used
The log driver to use for the container. The valid values listed earlier are log drivers that the Amazon ECS container agent can communicate with by default.
For tasks using the Fargate launch type, the supported log drivers are awslogs, splunk, and awsfirelens.
Container definitions
For more information on using the awslogs log driver in task definitions to send your container logs to CloudWatch Logs, see Using the awslogs log driver (p. 128).
For more information about using the awsfirelens log driver, see Custom Log Routing.
This parameter requires version 1.18 of the Docker Remote API or greater on your container instance.
options
Type: string to string map Required: no
The configuration options to send to the log driver.
When you use FireLens to route logs to an AWS service or AWS Partner Network (APN)
destination for log storage and analytics, you can can set log-driver-buffer-limit to the limit for the number of events buffered on the memory. It can help to resolve potential log loss issue because high throughput could result in running out of memory for buffer inside of Docker. For more information, see the section called “Fluentd buffer limit” (p. 136).
This parameter requires version 1.19 of the Docker Remote API or greater on your container instance.
secretOptions Type: object array Required: no
An object representing the secret to pass to the log configuration. For more information, see Specifying sensitive data (p. 149).
name
Type: String Required: Yes
The value to set as the environment variable on the container.
valueFrom Type: String Required: Yes
The secret to expose to the log configuration of the container.
"logConfiguration": { "logDriver": "splunk", "options": {
"splunk-url": "https://cloud.splunk.com:8080", "splunk-token": "...",
"tag": "...", ...
},
"secretOptions": [{
"name": "splunk-token",
"valueFrom": "/ecs/logconfig/splunkcred"
}]}
Container definitions
firelensConfiguration
Type: FirelensConfiguration Object Required: No
The FireLens configuration for the container. This is used to specify and configure a log router for container logs. For more information, see Custom log routing (p. 134).
{ "firelensConfiguration": { "type": "fluentd", "options": { "KeyName": ""
} } }
options
Type: String to string map Required: No
The options to use when configuring the log router. This field is optional and can be used to specify a custom configuration file or to add additional metadata, such as the task, task definition, cluster, and container instance details to the log event. If specified, the syntax to use is "options":{"enable-ecs-log-metadata":"true|false","config-file-type:"s3|file","config-file-value":"arn:aws:s3:::mybucket/fluent.conf|
filepath"}. For more information, see Creating a task definition that uses a FireLens configuration (p. 139).
type
Type: String Required: Yes
The log router to use. The valid values are fluentd or fluentbit.
Security
user
Type: string Required: no
The user to use inside the container. This parameter maps to User in the Create a container section of the Docker Remote API and the --user option to docker run.
You can specify the user using the following formats. If specifying a UID or GID, you must specify it as a positive integer.
• user
• user:group
• uid
• uid:gid
• user:gid
• uid:group
Container definitions
NoteThis parameter is not supported for Windows containers.
"user": "string"