Posted On: Jul 19, 2023

Amazon Elastic Container Service (ECS) announces domainless Group Managed Service Account (gMSA) support for Linux and Windows containers running on Amazon EC2. This integration allows applications hosted on Amazon ECS (on EC2) to easily authenticate with Microsoft Active Directory (AD) to access network shared resources. With this launch, customers can run containers that require AD authentication without joining the ECS nodes to the domain, even during autoscaling events.

Group Managed Service Account (gMSA) is a managed account that provides automatic password management, service principal name (SPN) management, and the ability to delegate management to administrators over multiple servers or instances. This allows multiple containers or resources to share an AD account without having to authenticate each container or resource individually, or without having access to network-shared resources such as SQL Server hosts, or file-shares. Previously, customers have been able to run ECS containers with gMSA by joining underlying nodes to a target AD domain. Now customers can also use a built-in plugin on the latest ECS-Optimized Windows AMIs that enables underlying nodes to retrieve gMSA credentials portable user identity and a plug-in mechanism, instead of a host computer account. Read these guides for a step-by-step walkthrough on how to use the feature on Linux containers and Windows containers on ECS.

This capability is available in all Amazon Web Services regions where Amazon ECS is available, including the Amazon Web Services China (Beijing) Region, operated by Sinnet and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more and to get started, please refer to the public documentation for using gMSAs for Linux containers and Windows containers.