Backend Service

List of all available properties for a 'Backend Service' manifest. To learn about Copilot services, see the Services concept page.

Sample manifest for an api service
# Your service name will be used in naming your resources like log groups, ECS services, etc.
name: api
type: Backend Service

# Your service is reachable at "http://api.${COPILOT_SERVICE_DISCOVERY_ENDPOINT}:8080" but is not public.

# Configuration for your containers and service.
  build: ./api/Dockerfile
  port: 8080
    command: ["CMD-SHELL", "curl -f http://localhost:8080 || exit 1"]
    interval: 10s
    retries: 2
    timeout: 5s
    start_period: 0s

cpu: 256
memory: 512
count: 1
exec: true

      path: '/etc/mount1'
      read_only: true
        id: fs-12345678
        root_dir: '/'
          iam: true
          access_point_id: fsap-12345678

    placement: 'private'
    security_groups: ['sg-05d7cd12cceeb9a6e']

  LOG_LEVEL: info

# You can override any of the values defined above by environment.
      spot: 2
    count: 2

name String The name of your service.

type String
The architecture type for your service. Backend Services are not reachable from the internet, but can be reached with service discovery from your other services.

image Map
The image section contains parameters relating to the Docker build configuration and exposed port. String or Map
If you specify a string, Copilot interprets it as the path to your Dockerfile. It will assume that the dirname of the string you specify should be the build context. The manifest:

  build: path/to/dockerfile
will result in the following call to docker build: $ docker build --file path/to/dockerfile path/to

You can also specify build as a map:

    dockerfile: path/to/dockerfile
    context: context/dir
    target: build-stage
      - image:tag
      key: value
In this case, Copilot will use the context directory you specified and convert the key-value pairs under args to --build-arg overrides. The equivalent docker build call will be: $ docker build --file path/to/dockerfile --target build-stage --cache-from image:tag --build-arg key=value context/dir.

You can omit fields and Copilot will do its best to understand what you mean. For example, if you specify context but not dockerfile, Copilot will run Docker in the context directory and assume that your Dockerfile is named "Dockerfile." If you specify dockerfile but no context, Copilot assumes you want to run Docker in the directory that contains dockerfile.

All paths are relative to your workspace root.

image.location String
Instead of building a container from a Dockerfile, you can specify an existing image name. Mutually exclusive with The location field follows the same definition as the image parameter in the Amazon ECS task definition.

image.credentials String An optional credentials arn for private repository. The credentials field follows the same definition as the credentialsParameter in the Amazon ECS task definition.

image.port Integer
The port exposed in your Dockerfile. Copilot should parse this value for you from your EXPOSE instruction.

image.labels Map
An optional key/value map of Docker labels to add to the container.

image.depends_on Map
An optional key/value map of Container Dependencies to add to the container. The key of the map is a container name and the value is the condition to depend on. Valid conditions are: start, healthy, complete, and success. You cannot specify a complete or success dependency on an essential container.


Container health checks for sidecars are not currently supported in Copilot. This means that healthy is not a valid sidecar dependency condition.

For example:

  build: ./Dockerfile
    nginx: start
    startup: success
In the above example, the task's main container will only start after the nginx sidecar has started and the startup container has completed successfully.

image.healthcheck Map
Optional configuration for container health checks.

image.healthcheck.command Array of Strings
The command to run to determine if the container is healthy. The string array can start with CMD to execute the command arguments directly, or CMD-SHELL to run the command with the container's default shell.

image.healthcheck.interval Duration
Time period between health checks, in seconds. Default is 10s.

image.healthcheck.retries Integer
Number of times to retry before container is deemed unhealthy. Default is 2.

image.healthcheck.timeout Duration
How long to wait before considering the health check failed, in seconds. Default is 5s.

image.healthcheck.start_period Duration
Grace period within which to provide containers time to bootstrap before failed health checks count towards the maximum number of retries. Default is 0s.

entrypoint String or Array of Strings
Override the default entrypoint in the image.

# String version.
entrypoint: "/bin/entrypoint --p1 --p2"
# Alteratively, as an array of strings.
entrypoint: ["/bin/entrypoint", "--p1", "--p2"]

command String or Array of Strings
Override the default command in the image.

# String version.
command: ps au
# Alteratively, as an array of strings.
command: ["ps", "au"]

cpu Integer
Number of CPU units for the task. See the Amazon ECS docs for valid CPU values.

memory Integer
Amount of memory in MiB used by the task. See the Amazon ECS docs for valid memory values.

platform String
Operating system and architecture (formatted as [os]/[arch]) to pass with docker build --platform.

count Integer or Map
If you specify a number:

count: 5
The service will set the desired count to 5 and maintain 5 tasks in your service. Integer

If you want to use Fargate Spot capacity to run your services, you can specify a number under the spot subfield:

  spot: 5

Alternatively, you can specify a map for setting up autoscaling:

  range: 1-10
  cpu_percentage: 70
  memory_percentage: 80
  requests: 10000
  response_time: 2s

count.range String or Map
You can specify a minimum and maximum bound for the number of tasks your service should maintain, based on the values you specify for the metrics.

  range: n-m
This will set up an Application Autoscaling Target with the MinCapacity of n and MaxCapacity of m.

Alternatively, if you wish to scale your service onto Fargate Spot instances, specify min and max under range and then specify spot_from with the desired count you wish to start placing your services onto Spot capacity. For example:

    min: 1
    max: 10
    spot_from: 3

This will set your range as 1-10 as above, but will place the first two copies of your service on dedicated Fargate capacity. If your service scales to 3 or higher, the third and any additional copies will be placed on Spot until the maximum is reached.

range.min Integer
The minimum desired count for your service using autoscaling.

range.max Integer
The maximum desired count for your service using autoscaling.

range.spot_from Integer
The desired count at which you wish to start placing your service using Fargate Spot capacity providers.

count.cpu_percentage Integer
Scale up or down based on the average CPU your service should maintain.

count.memory_percentage Integer
Scale up or down based on the average memory your service should maintain.

count.requests Integer
Scale up or down based on the request count handled per tasks.

count.response_time Duration
Scale up or down based on the service average response time.

exec Boolean
Enable running commands in your container. The default is false. Required for $ copilot svc exec.

network Map
The network section contains parameters for connecting to AWS resources in a VPC.

network.vpc Map
Subnets and security groups attached to your tasks.

network.vpc.placement String
Must be one of 'public' or 'private'. Defaults to launching your tasks in public subnets.


If you launch tasks in 'private' subnets and use a Copilot-generated VPC, Copilot will automatically add NAT Gateways to your environment for internet connectivity. (See pricing.) Alternatively, when running copilot env init, you can import an existing VPC with NAT Gateways, or one with VPC endpoints for isolated workloads. See our custom environment resources page for more.

network.vpc.security_groups Array of Strings
Additional security group IDs associated with your tasks. Copilot always includes a security group so containers within your environment can communicate with each other.

variables Map
Key-value pairs that represent environment variables that will be passed to your service. Copilot will include a number of environment variables by default for you.

secrets Map
Key-value pairs that represent secret values from AWS Systems Manager Parameter Store that will be securely passed to your service as environment variables.

storage Map
The Storage section lets you specify external EFS volumes for your containers and sidecars to mount. This allows you to access persistent storage across availability zones in a region for data processing or CMS workloads. For more detail, see the storage page. You can also specify extensible ephemeral storage at the task level.

storage.ephemeral Int Specify how much ephemeral task storage to provision in GiB. The default value and minimum is 20 GiB. The maximum size is 200 GiB. Sizes above 20 GiB incur additional charges.

To create a shared filesystem context between an essential container and a sidecar, you can use an empty volume:

  ephemeral: 100
      path: /var/data
      read_only: false

      - source_volume: scratch
        path: /var/data
        read_only: false
This example will provision 100 GiB of storage to be shared between the sidecar and the task container. This can be useful for large datasets, or for using a sidecar to transfer data from EFS into task storage for workloads with high disk I/O requirements.

storage.volumes Map
Specify the name and configuration of any EFS volumes you would like to attach. The volumes field is specified as a map of the form:

  <volume name>:
    path: "/etc/mountpath"

storage.volumes.volume Map
Specify the configuration of a volume.

volume.path String
Required. Specify the location in the container where you would like your volume to be mounted. Must be fewer than 242 characters and must consist only of the characters a-zA-Z0-9.-_/.

volume.read_only Boolean
Optional. Defaults to true. Defines whether the volume is read-only or not. If false, the container is granted elasticfilesystem:ClientWrite permissions to the filesystem and the volume is writable.

volume.efs Boolean or Map
Specify more detailed EFS configuration. If specified as a boolean, or using only the uid and gid subfields, creates a managed EFS filesystem and dedicated Access Point for this workload.

// Simple managed EFS
efs: true

// Managed EFS with custom POSIX info
  uid: 10000
  gid: 110000 String
Required. The ID of the filesystem you would like to mount.

volume.efs.root_dir String Optional. Defaults to /. Specify the location in the EFS filesystem you would like to use as the root of your volume. Must be fewer than 255 characters and must consist only of the characters a-zA-Z0-9.-_/. If using an access point, root_dir must be either empty or / and auth.iam must be true.

volume.efs.uid Uint32 Optional. Must be specified with gid. Mutually exclusive with root_dir, auth, and id. The POSIX UID to use for the dedicated access point created for the managed EFS filesystem.

volume.efs.gid Uint32 Optional. Must be specified with uid. Mutually exclusive with root_dir, auth, and id. The POSIX GID to use for the dedicated access point created for the managed EFS filesystem.

volume.efs.auth Map
Specify advanced authorization configuration for EFS.

volume.efs.auth.iam Boolean
Optional. Defaults to true. Whether or not to use IAM authorization to determine whether the volume is allowed to connect to EFS.

volume.efs.auth.access_point_id String
Optional. Defaults to "". The ID of the EFS access point to connect to. If using an access point, root_dir must be either empty or / and auth.iam must be true.

logging Map
The logging section contains log configuration parameters for your container's FireLens log driver (see examples here).

logging.image Map
Optional. The Fluent Bit image to use. Defaults to amazon/aws-for-fluent-bit:latest.

logging.destination Map
Optional. The configuration options to send to the FireLens log driver.

logging.enableMetadata Map
Optional. Whether to include ECS metadata in logs. Defaults to true.

logging.secretOptions Map
Optional. The secrets to pass to the log configuration.

logging.configFilePath Map
Optional. The full config file path in your custom Fluent Bit image.

taskdef_overrides Array of Rules
The taskdef_overrides section allows users to apply overriding rules to their ECS Task Definitions (see examples here).

taskdef_overrides.path String Required. Path to the Task Definition field to override.

taskdef_overrides.value Any Required. Value of the Task Definition field to override.

environments Map
The environment section lets you override any value in your manifest based on the environment you're in. In the example manifest above, we're overriding the count parameter so that we can run 2 copies of our service in our 'prod' environment, and 2 copies using Fargate Spot capacity in our 'staging' environment.

publish Map
The publish section allows services to publish messages to one or more SNS topics.

    - name: order-events

In the example above, this manifest declares an SNS topic named order-events that other worker services which are deployed to the Copilot environment can subscribe to.

publish.topics Array of topics
List of topic objects.

publish.topics.topic Map
Holds configuration for a single SNS topic. String
Required. The name of the SNS topic. Must contain only upper and lowercase letters, numbers, hyphens, and underscores.