ECS backend

Træfɪk can be configured to use Amazon ECS as a backend configuration:

  1. ################################################################
  2. # ECS configuration backend
  3. ################################################################
  5. # Enable ECS configuration backend
  6. #
  7. # Optional
  8. #
  9. [ecs]
  11. # ECS Cluster Name
  12. #
  13. # Optional
  14. # Default: "default"
  15. #
  16. Cluster = "default"
  18. # Enable watch ECS changes
  19. #
  20. # Optional
  21. # Default: true
  22. #
  23. Watch = true
  25. # Polling interval (in seconds)
  26. #
  27. # Optional
  28. # Default: 15
  29. #
  30. RefreshSeconds = 15
  32. # Expose ECS services by default in traefik
  33. #
  34. # Optional
  35. # Default: true
  36. #
  37. ExposedByDefault = false
  39. # Region to use when connecting to AWS
  40. #
  41. # Optional
  42. #
  43. # Region = "us-east-1"
  45. # AccessKeyID to use when connecting to AWS
  46. #
  47. # Optional
  48. #
  49. # AccessKeyID = "abc"
  51. # SecretAccessKey to use when connecting to AWS
  52. #
  53. # Optional
  54. #
  55. # SecretAccessKey = "123"

Labels can be used on task containers to override default behaviour:

  • traefik.protocol=https: override the default http protocol
  • traefik.weight=10: assign this weight to the container
  • traefik.enable=false: disable this container in Træfɪk
  • traefik.frontend.rule=Host:test.traefik.io: override the default frontend rule (Default: Host:{containerName}.{domain}).
  • traefik.frontend.passHostHeader=true: forward client Host header to the backend.
  • traefik.frontend.priority=10: override default frontend priority

  • traefik.frontend.entryPoints=http,https: assign this frontend to entry points http and https. Overrides defaultEntryPoints.
    If AccessKeyID/SecretAccessKey is not given credentials will be resolved in the following order:

  • From environment variables; AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN.

  • Shared credentials, determined by AWS_PROFILE and AWS_SHARED_CREDENTIALS_FILE, defaults to default and ~/.aws/credentials.
  • EC2 instance role or ECS task role
    Træfɪk needs the following policy to read ECS information:
  1. {
  2.     "Version": "2012-10-17",
  3.     "Statement": [
  4.         {
  5.             "Sid": "Traefik ECS read access",
  6.             "Effect": "Allow",
  7.             "Action": [
  8.                 "ecs:ListTasks",
  9.                 "ecs:DescribeTasks",
  10.                 "ecs:DescribeContainerInstances",
  11.                 "ecs:DescribeTaskDefinition",
  12.                 "ec2:DescribeInstances"
  13.             ],
  14.             "Resource": [
  15.                 "*"
  16.             ]
  17.         }
  18.     ]
  19. }