https://prefect.io logo
w

Wesley Jin

07/26/2023, 8:20 PM
Hi, I’m running into the following permission error trying to run a flow on Prefect 2 using the ECS Worker with a service account API key scoped to a “Worker” role:
Copy code
Crash detected! Execution was interrupted by an unexpected exception: PrefectHTTPStatusError: Client error '403 Forbidden' for url '<https://api.prefect.cloud/api/accounts/.../workspaces/.../block_documents/>'
Response: {'detail': 'Forbidden'}
For more information check: <https://httpstatuses.com/403>
I thought the URL path was referring to Block permissions, which the role seems to have. Do I need to give the ECS worker the “Developer” role to run flows? What is the
/block_documents/
endpoint fetching?
for posterity: using the “Developer” role for the service account fixed this - though not ideal since it appears to exceed least permissions
👍 1
m

Mark McDonald

08/01/2023, 2:10 AM
I ran into this same issue. Thanks for posting your solution!
👍 1
🙌 1
t

Tom Klein

08/16/2023, 11:16 AM
can someone explain why this is happening? thanks for posting the solution, it worked for us - but i don’t like the fact i can’t use a more limited role (to prevent havoc or abuse) for the agent/worker service account
w

Wesley Jin

09/14/2023, 12:25 AM
^ bumping this thread for Prefect team visibility 🙏 I would also like to limit the role’s permission scope
t

Tom Klein

09/14/2023, 9:28 AM
i think issues here are largely ignored, unless reported via github
👍 1
2 Views