Jeremy Hetzel

08/26/2023, 4:21 PM
It is not possible to set
Subnet IDs
, or
DNS Servers
for an Azure Container Instance work pool via the we portal. This appears to block use of images in the Azure Container Registry, because we need to include the ACRManagedIdentity
in the
list, otherwise the identity is not attached to the container group, and pulling from an azure container registry fails with
Copy code
Exception Details:	(InvalidImageRegistryIdentity) The identity in the 'imageRegistryCredentials' of container group 'get_repo_info-58bac517-8e50-4466-b939-f88722d7c09a' not found in container group identity list.
	Code: InvalidImageRegistryIdentity
	Message: The identity in the 'imageRegistryCredentials' of container group 'get_repo_info-58bac517-8e50-4466-b939-f88722d7c09a' not found in container group identity list.
03:18:37 PM
Update: I was able to add an identity to a worker pool
in the web interface clicking Advanced and manually adding a default for the
Copy code
"identities": {
        "type": "array",
        "items": {
          "type": "string"
        "title": "Identities",
        "default": [
        "description": "A list of user-assigned identities to associate with the container group. The identities should be an ARM resource IDs in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'."
It still shows an empty identities in the non-advanced view:
However, the identity is present in the configuration object:
Copy code
prefect worker start -n my-aci-worker -p azure2                                                                                                         13:46:53
Discovered worker type 'azure-container-instance' for work pool 'azure2'.
Worker 'my-aci-worker' started!
13:47:08.807 | INFO    | prefect.flow_runs.worker - Worker 'my-aci-worker' submitting flow run 'b1cd5cbc-fffc-4d87-b5df-c64c998146ba'
13:47:09.734 | INFO    | - AzureContainerInstanceJob 'my-aci-worker': Preparing to run command python -m prefect.engine in container  prefecthq/prefect:2.11.5-python3.10)...
13:47:09.735 | INFO    | - AzureContainerInstanceJob 'my-aci-worker': Creating container group...
> /home/jhetzel/src/c-core-labs/holmes/.venv/lib/python3.10/site-packages/prefect_azure/workers/
-> created_container_group = await run_sync_in_worker_thread(
(Pdb) list
744  	            resource_group_name=configuration.resource_group_name,
745  	            deployment_name=f"prefect-{container_group_name}",
746  	            parameters=deployment,
747  	        )
748  	        breakpoint()
749  ->	        created_container_group = await run_sync_in_worker_thread(
750  	            self._wait_for_task_container_start,
751  	            aci_client,
752  	            configuration,
753  	            container_group_name,
754  	            creation_status_poller,
(Pdb) configuration.identities
(Pdb) continue
13:48:50.949 | INFO    | - AzureContainerInstanceJob 'my-aci-worker': Running command...
13:48:50.954 | INFO    | - AzureContainerInstanceJob 'my-aci-worker': Completed command run.
13:48:50.954 | INFO    | - AzureContainerInstanceJob 'my-aci-worker': Deleting container...
13:48:51.097 | INFO    | prefect.flow_runs.worker - Completed submission of flow run 'b1cd5cbc-fffc-4d87-b5df-c64c998146ba'
13:48:54.507 | INFO    | - AzureContainerInstanceJob 'my-aci-worker': Container deleted.

David Yang

08/31/2023, 12:06 AM
I added identities and subnet configuration in deployment yaml file. That works. I used the ACI push type work pool. The nice thing about that is we don't need to run worker. But it seems that prefect doesn't delete the ACI group after the flow completed successfully. I hope prefect can fix that ASAP.
❤️ 1