Cody
07/03/2023, 11:05 PMSubmission failed. botocore.errorfactory.ClientException: An error occurred (ClientException) when calling the RegisterTaskDefinition operation: Fargate requires task definition to have execution role ARN to support ECR images
My ecsTask block looks like:
ecs-task/trigger-flow
┌─────────────────────────────────┬─────────────────────────────────────────────────────────────────────┐
│ Block Type │ ECS Task │
│ Block id │ a084e009-76b4-47d6-a249-b92bd98dc45b
├─────────────────────────────────┼─────────────────────────────────────────────────────────────────────┤
│ cpu │ 512
│ vpc_id │ vpc-xxxxxxxxx
│ cluster │ arn:aws:ecs:us-east-1:xxxxxxxxx:cluster/prefect
│ stream_output │ True
│ task_role_arn │ arn:aws:iam::xxxxxxxxx:role/ecsTaskExecutionRolePrefect
│ task_definition │
│ execution_role_arn │ arn:aws:iam::xxxxxxxxx:role/ecsTaskExecutionRolePrefect
│ task_customizations │ []
│ task_definition_arn │ arn:aws:ecs:us-east-1:xxxxxxxxx:task-definition/flow-run-a-test:4
│ cloudwatch_logs_options │ {}
│ configure_cloudwatch_logs │ True
│ auto_deregister_task_definition │ False
└─────────────────────────────────┴─────────────────────────────────────────────────────────────────────┘
And the execution_role and task_role both have the managed AmazonECSTaskExecutionRolePolicy which includes
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
Am I going crazy, or are those not sufficient permissions? Stackoverflow says that they are, but I could be misinterpreting things.
It seems like the ECS Task that should run the Prefect task isnt inheriting the execution role from the Task Definition.Brendan Maguire
08/14/2023, 4:05 PMCody
08/14/2023, 4:08 PMBrendan Maguire
08/14/2023, 4:25 PMExecution Role ARN
in the Prefect UI for the ECS work pool.