Skip to main content

ECS container HTTP status code

Last updated on

ECS container HTTP status code is an AWS chaos fault that returns the configured HTTP STATUS_CODE (and optionally rewrites the body when MODIFY_RESPONSE_BODY=true) for every request on TARGET_SERVICE_PORT inside a percentage of running ECS tasks (EC2 launch type) for a configurable duration. The fault interposes a transparent HTTP proxy on the container instance, scoped to the target container via ECS container metadata and dispatched via AWS Systems Manager Run Command.

Use this fault to test how HTTP clients behave when the service returns an unexpected status code (5xx outage, 4xx client error, 3xx redirect): whether retries engage, whether circuit breakers protect downstream systems, and whether dashboards and alarms correctly identify the failure mode.

Run your first experiment

If you have not configured the chaos infrastructure yet, go to Quickstart to install the chaos infrastructure and run an experiment end to end.

Use cases

Run this fault when you want to answer concrete questions like:

  • 5xx handling: When the service returns 503, do clients retry with appropriate backoff and does the circuit breaker engage?
  • 4xx handling: When the service returns 404 or 401 unexpectedly, do clients surface a clear error and stop retrying?
  • Redirect handling: When the service returns 302, do clients follow the redirect safely?
  • Load balancer health checks: Does the target group mark the affected tasks unhealthy and route traffic away?
  • Monitoring fidelity: Do alarms on HTTPCode_Target_5XX_Count (or equivalent) fire as expected?

Prerequisites

  • Kubernetes version: 1.21 or later for the chaos infrastructure cluster. Go to What's supported to confirm distribution support.
  • Target ECS service or cluster: CLUSTER_NAME exists in REGION and uses the EC2 launch type.
  • Container instances are SSM-managed.
  • ECS container metadata enabled.
  • AWS credentials available: Either an AWS credentials file uploaded as a File Secret in Harness Secret Manager (see Authentication below) or an IAM role for service accounts (IRSA) bound to the chaos infrastructure service account.
  • IAM permissions granted: The credentials or role include the permissions listed below.

Supported environments

PlatformSupport status
Amazon ECS on EC2 launch typeSupported
Amazon ECS on Fargate launch typeNot supported
HTTP/1.1 and HTTP/2 traffic on TARGET_SERVICE_PORTSupported
HTTPS terminated inside the containerNot supported
Linux container instancesSupported
Windows container instancesNot supported
AWS regionsSupported in every commercial region; pass the region in REGION

Permissions required

The IAM principal that the chaos pod uses (the credentials mounted from the Harness Secret Manager file secret, the IRSA role on the chaos service account, or the role assumed via ASSUME_ROLE_ARN) needs the following AWS actions.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeClusters",
        "ecs:DescribeServices",
        "ecs:DescribeTasks",
        "ecs:ListTasks",
        "ecs:ListContainerInstances",
        "ecs:DescribeContainerInstances"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ssm:SendCommand",
        "ssm:CancelCommand",
        "ssm:GetCommandInvocation",
        "ssm:DescribeInstanceInformation"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2messages:AcknowledgeMessage",
        "ec2messages:DeleteMessage",
        "ec2messages:FailMessage",
        "ec2messages:GetEndpoint",
        "ec2messages:GetMessages",
        "ec2messages:SendReply"
      ],
      "Resource": "*"
    }
  ]
}

Go to common policy for all AWS faults to use a single superset IAM policy across every AWS fault.

Authentication

The fault supports three credential delivery models. Pick one based on how your chaos infrastructure is deployed.

MethodWhen to use itHow to configure
Harness Secret Manager file secretChaos infrastructure runs outside EKS, or you want explicit static credentialsUpload the AWS credentials file as a File Secret in Harness Secret Manager and reference its identifier via AWS_AUTHENTICATION_SECRET
IAM Roles for Service Accounts (IRSA)Chaos infrastructure runs in EKS and uses an OIDC-bound service accountNo tunable changes; the chaos pod inherits the role automatically. Go to AWS IAM integration to set it up
Assume roleThe fault needs to act in a different account or with elevated permissionsSet ASSUME_ROLE_ARN to the role ARN; the chaos pod assumes the role on top of its base credentials

When using the Harness Secret Manager method, the contents of the File Secret should be the AWS credentials file in the standard ~/.aws/credentials format:

[default]
aws_access_key_id = REPLACE_WITH_ACCESS_KEY_ID
aws_secret_access_key = REPLACE_WITH_SECRET_ACCESS_KEY

Upload this file as a File Secret in Harness Secret Manager (Project Setup → Secrets → New File Secret), and pass the secret identifier in AWS_AUTHENTICATION_SECRET when configuring the fault.

Go to AWS named profile for chaos to switch between profiles inside a single credentials file.

Fault tunables

Configure the following fault parameters when you add ECS container HTTP status code to an experiment in Chaos Studio. Defaults are shown for reference.

Required parameters

TunableDescriptionDefault
CLUSTER_NAMEName of the target ECS cluster.(required)
REGIONAWS region that hosts the ECS cluster (for example us-east-1).(required)

Targeting parameters

TunableDescriptionDefault
SERVICE_NAMEName of the target ECS service. When set, the fault selects TASK_REPLICA_AFFECTED_PERC of the service's running tasks.""
TASK_REPLICA_IDID of a specific task replica to target.""
TASK_REPLICA_AFFECTED_PERCPercentage of running tasks to affect when SERVICE_NAME is set.100

Chaos parameters

TunableDescriptionDefault
STATUS_CODEHTTP status code the proxy returns for every intercepted request (for example 503, 404, 429).503
MODIFY_RESPONSE_BODYWhen true, the proxy also replaces the response body with a chaos string aligned with the status code. When false, the original body is forwarded with the chaos status code.true
TARGET_SERVICE_PORTTCP port the affected container serves on.80
PROXY_PORTPort the chaos proxy listens on inside the container.20000
NETWORK_INTERFACENetwork interface inside the container on which to install the redirect rules. auto discovers the primary interface.auto
TOTAL_CHAOS_DURATIONDuration of the fault in seconds.60
INSTALL_DEPENDENCIESInstall the proxy and networking tooling on each container instance if missing.true
SEQUENCEOrder in which multiple tasks are affected: parallel installs the proxy on all selected tasks at once; serial does so one at a time.parallel
RAMP_TIMEWait period in seconds before and after the fault. Go to ramp time to read how it is applied.0

Authentication

TunableDescriptionDefault
ASSUME_ROLE_ARNARN of an IAM role to assume on top of the base credentials. Leave empty to use the base credentials directly.""
AWS_AUTHENTICATION_SECRETIdentifier of the File Secret in Harness Secret Manager that contains the AWS credentials file. Not required when using IRSA.""

Tunables that apply to every fault are documented in common tunables for all faults. AWS-specific shared tunables are documented in common AWS fault tunables.

Fault execution in brief

Resolves the running tasks for SERVICE_NAME (or the explicit TASK_REPLICA_ID), picks TASK_REPLICA_AFFECTED_PERC of them, and dispatches a transparent HTTP proxy via AWS Systems Manager Run Command into the affected container. New HTTP requests on TARGET_SERVICE_PORT are redirected through the proxy on PROXY_PORT; the proxy returns STATUS_CODE (and a chaos body when MODIFY_RESPONSE_BODY=true) without forwarding the request to the application. After TOTAL_CHAOS_DURATION seconds the proxy is stopped and the redirect rules are removed.

Expected behavior during fault execution

  • HTTP clients of the affected containers receive STATUS_CODE for every request.
  • Load balancers and ingress controllers that key health off status code may mark the tasks unhealthy.
  • Client-side error counters (5xx, 4xx) rise; retries and circuit breakers may engage.
  • Application logs on the server side do not show the requests because the proxy short-circuits them.
When the fault ends

The chaos pod stops the proxy and removes the redirect rules. New requests get the real response again.

Signals to watch

Attach resilience probes to assert each layer:

  • HTTP status code: Use an HTTP probe and assert the expected STATUS_CODE during the chaos window.
  • Client error counters: Use a Prometheus probe on client-side 5xx/4xx counters.
  • Circuit breaker state: Use a Prometheus probe on circuit breaker open/closed counters.
  • Load balancer health: Use a Prometheus probe on aws_applicationelb_unhealthy_host_count to confirm the LB detected the failure.

Verify the fault execution effect

While the experiment is running, confirm the chaos status code is returned:

  1. Probe with curl.

    curl -i http://<service-endpoint>:<port>/

    The status code should equal STATUS_CODE during the chaos window.

  2. Inspect the redirect rules on the host (via SSM).

    aws ssm send-command \
      --region <region> \
      --document-name AWS-RunShellScript \
      --instance-ids <container-instance-id> \
      --parameters 'commands=["iptables -t nat -L PREROUTING -n"]'

  3. Inspect SSM command status.

    aws ssm list-command-invocations --region <region> --details --filters "key=Status,value=InProgress"

Recovery and cleanup

  • End of duration: The chaos pod stops the proxy and removes the redirect rules on each host.
  • Abort the experiment: Stopping the experiment from Chaos Studio cancels the SSM command and removes the proxy.
  • Manual recovery: If the fault exits before cleanup, remove the redirect rules and kill the proxy process via SSM.
  • Workload recovery: Clients that opened circuit breakers during the chaos window need their breakers to close before they retry normally; consult the breaker's reset policy.

Limitations

  • EC2 launch type only.
  • Container metadata must be enabled.
  • SSM-managed hosts only.
  • Linux-only.
  • HTTPS terminated inside the container is not supported.
  • One port per experiment: The proxy intercepts only TARGET_SERVICE_PORT.
  • Cross-region targeting: A single experiment targets one region (the value of REGION).

Troubleshooting

ECS container HTTP status code fails with AccessDeniedException in Harness Chaos Engineering

The credentials supplied to the chaos pod do not have the required ECS or SSM permissions. Confirm the IAM policy attached to the user, role, or IRSA service account includes ecs:DescribeServices, ecs:DescribeTasks, ssm:SendCommand, and ssm:GetCommandInvocation.

Client still sees the original status code during the chaos window

The most common causes are: the client connects on a different port (set TARGET_SERVICE_PORT correctly); the client used a pre-existing pooled connection that escaped the proxy; the request goes through a CDN or cache that returned a cached response; or the proxy could not install the redirect rule (check NETWORK_INTERFACE). Force a fresh connection from the client and disable caching for the test.

Load balancer takes the entire service offline during the chaos window

If you set TASK_REPLICA_AFFECTED_PERC=100 and STATUS_CODE in the 5xx range, the target group will mark every task unhealthy and the load balancer will fail all requests. Lower TASK_REPLICA_AFFECTED_PERC to a fraction (for example 33) so the experiment is realistic without an outage, or use a non-5xx STATUS_CODE that does not affect target health.

Redirect rules remain after the chaos window

If the cleanup SSM command failed, the iptables PREROUTING redirect rules may persist on the container instance. Send an SSM AWS-RunShellScript command to the affected container instance that flushes the iptables NAT PREROUTING chain. The exact command is recorded in the chaos pod logs.