Aws Containers
Operate or migrate AWS container workloads after App Runner sunset using ECS Express Mode and documented VPC and scaling pitfalls.
Overview
Aws-containers is an agent skill most often used in Operate (also Ship, Build) that documents AWS container hosting, App Runner sunset constraints, and ECS Express Mode migration for existing App Runner customers.
Install
npx skills add https://github.com/aws/agent-toolkit-for-aws --skill aws-containersWhat is this skill?
- States App Runner sunset April 30, 2026 and forbids recommending it for new projects
- Compares App Runner vs ECS Express Mode vs ECS Fargate for replacement decisions
- Requires aws sts get-caller-identity and least-privilege IAM before changes
- Covers VPC connector gotchas and auto scaling behavior for container services
- Includes step-by-step migration guide from App Runner to ECS Express Mode
- App Runner sunset April 30, 2026 per AWS availability change documentation referenced in the skill
Adoption & trust: 1.4k installs on skills.sh; 819 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are on App Runner or picking AWS containers and need authoritative sunset rules, comparisons, and migration steps without your agent recommending dead services.
Who is it for?
Solo builders maintaining legacy App Runner services or migrating the same codebase to ECS Express Mode with agent-guided checklists.
Skip if: Brand-new projects that want the simplest managed container UX—this skill tells you not to choose App Runner and expects AWS CLI fluency.
When should I use this skill?
Working on AWS App Runner, ECS Express Mode, ECS Fargate, container migration, or VPC-connected container services.
What do I get? / Deliverables
You get verified-account prerequisites, App Runner vs ECS Express vs Fargate framing, and migration-oriented infra guidance scoped to least-privilege AWS operations.
- Migration-oriented container hosting decisions
- Pre-flight account and permission checks
- VPC and scaling awareness for ECS path
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Canonical shelf is production infrastructure because the guide centers on running existing services, dependency checks, and mandatory migration off a sunset platform. Infra subphase fits account/region verification, VPC connectors, auto scaling, and ECS replacement—not one-off app feature work.
Where it fits
Diagnose VPC connector issues on a live App Runner service before cutover weekend.
Plan migration milestones ahead of the App Runner sunset deadline without taking new App Runner dependencies.
Align new ECS Express task definitions and IAM with what the toolkit documents before merging deploy scripts.
How it compares
Use instead of generic “deploy to AWS” chat that still suggests App Runner; this is a sunset-aware container ops guide, not a greenfield PaaS picker.
Common Questions / FAQ
Who is aws-containers for?
Indie and solo builders using the AWS agent toolkit who run containerized apps on AWS and need sunset-aware guidance for App Runner and ECS Express Mode.
When should I use aws-containers?
Use it in Operate when tuning VPC connectors or scaling; in Ship when planning a safe migration before a deadline; and in Build when wiring ECS integrations—especially before recommending any AWS container product to a new project.
Is aws-containers safe to install?
Treat it as operational guidance that implies AWS API and CLI access; review the Security Audits panel on this Prism page and scope IAM to the services you touch rather than full admin.
SKILL.md
READMESKILL.md - Aws Containers
# App Runner Guide > **⚠️ App Runner was sunset April 30, 2026. No new customers. No new features. Existing customers should migrate to ECS Express Mode.** See: [App Runner Availability Change](https://docs.aws.amazon.com/apprunner/latest/dg/apprunner-availability-change.html) This reference file is for **existing App Runner customers** who need to operate their current services or migrate to ECS Express Mode. Do NOT recommend App Runner for new projects. ## Table of Contents - [Verify Dependencies](#verify-dependencies) - [Critical: App Runner Sunset Notice](#critical-app-runner-sunset-notice) - [ECS Express Mode as Replacement](#ecs-express-mode-as-replacement) - [Comparison: App Runner vs ECS Express Mode vs ECS Fargate](#comparison-app-runner-vs-ecs-express-mode-vs-ecs-fargate) - [Auto Scaling Behavior](#auto-scaling-behavior) - [VPC Connector Gotchas](#vpc-connector-gotchas) - [Migration Guide: App Runner to ECS Express Mode](#migration-guide-app-runner-to-ecs-express-mode) - [Security Considerations](#security-considerations) --- ## Verify Dependencies Operators MUST confirm the following before proceeding: | Dependency | Check Command | |---|---| | Correct account/region | `aws sts get-caller-identity --output json` | | Sufficient IAM permissions | Caller MUST have permissions for the target service (App Runner or ECS). Use least-privilege scoped policies — avoid `AdministratorAccess` or `*FullAccess` managed policies. | --- ## Critical: App Runner Sunset Notice > **App Runner is no longer accepting new customers after April 30, 2026.** > Existing customers MAY continue using the service, but SHOULD plan migration. > See: <https://docs.aws.amazon.com/apprunner/latest/dg/apprunner-availability-change.html> Key implications: - New AWS accounts created on or after April 30, 2026 are not expected to have access to create App Runner services. AWS documentation states the service will be "closed to new customers" but does not document the specific API-level behavior. - Existing services continue to run but SHOULD be migrated to ECS Express Mode or ECS Fargate. - AWS has not announced an end-of-life date for existing services, but operators SHOULD NOT start new projects on App Runner. --- ## ECS Express Mode as Replacement ECS Express Mode (announced November 2025) provisions a complete ECS stack with a single API call: - ECS cluster + Fargate service - Application Load Balancer - Auto scaling policy - Security groups and networking ```bash # Create an ECS Express Mode service aws ecs create-express-gateway-service \ --service-name $SERVICE_NAME \ --execution-role-arn $EXECUTION_ROLE_ARN \ --infrastructure-role-arn $INFRA_ROLE_ARN \ --primary-container "{\"image\":\"$IMAGE_URI\",\"containerPort\":$CONTAINER_PORT,\"secrets\":[{\"name\":\"DB_PASSWORD\",\"valueFrom\":\"$SECRET_ARN\"}]}" \ --region $REGION \ --output json ``` > **Security note:** Use the `secrets` field (referencing AWS Secrets Manager or SSM Parameter Store ARNs) for sensitive values. Do NOT pass secrets via the `environment` field — environment variables are visible in plaintext in the ECS task definition. See: [ExpressGatewayContainer API](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ExpressGatewayContainer.html) > > This example shows minimum required parameters. For production deployments, operators SHOULD also configure: a task role with least-privilege permissions (`--task-role-arn`), private subnets for internal services (`--network-configuration`), WAF association on the ALB, and ALB access logging. ECS Express Mode is designed as the direct migration path for App Runner workloads. It preserves the simplicity of App Runner while providing full ECS capabilities when needed. --- ## Comparison: App Runner vs ECS Express Mode vs ECS Fargate | Feature | App Runner | ECS Express Mode | ECS Fargate (Standard) | |---|---|---|---| | **Setup complexity** | Minimal — single API/console action | Minimal — single API