Hi all, after successfully utilizing an ecs:push workpool with my own provisioned AWS infrastructure to deploy my flow to and run it on the ecs cluster, I was curious about the new feature to let prefect provision the infrastructure 😃 Unfortunately, it doesn't work as expected. I created the ecs: push work pool as suggested (https://github.com/PrefectHQ/prefect/pull/11267) and after that I deployed my flow to it as usually, but without job-variables (since I don't have to ingest the AWS infrastructure and role arns now). I want to push the flow image to my ecr repo, so I give this with the name of the image to my Deployment like this:

flow.deploy(
    ...
    image=DeploymentImage(
        name=os.getenv("ECR_REPO_URL", ""),
        tag=os.getenv("IMAGE_TAG"),
        dockerfile=cfd / "Dockerfile",
    ),
    ...
)

But then I get the error: Flow run could not be submitted to infrastructure: An error occurred (ClientException) when calling the RegisterTaskDefinition operation: Fargate requires task definition to have execution role ARN to support ECR images. Why do I still have to provision the deployment with an execution role, shouldn't it (or the work pool) create one? Or is it because it is a my own ECR Repo? Where do you usually push / save the flow image to run it on the ecs cluster (especially in the frame of the ecs:push work pool with infra provisioning)? Thank you and best regards!

Hi Mira! You’ll need to have the AWS CLI library downloaded and be authenticated with your AWS account. Then you can run

prefect work-pool create

with the

—provision-infra

flag and the wizard should walk you through the rest. There’s a guide here that should help: https://github.com/PrefectHQ/prefect/pull/11316/files

Hi @Jenny, thank you for your answer 🙂 As mentioned above, it was no problem to create the work pool, after creating it via cli, it is listed in the work pool section in prefect cloud and also the new aws credentials block which is asigned to it. I then deploy my flow to it and when I hit the quick run button, it gives me the following error : "Flow run could not be submitted to infrastructure: An error occurred (ClientException) when calling the RegisterTaskDefinition operation: Fargate requires task definition to have execution role ARN to support ECR images." All the other infrastructure components get created and I can see them in aws. So my question is: what am I doing wrong? Do I have to create and assign the execution role myself, or should I push my flow image somewhere else (with my deployment) than ecr?

Ah yeah I just saw your original post and (as you probably also do) suspect it’s that custom image. Provision-infra is currently aimed at helping users get started with our public docker images. I expect there’ll be work in the future that expands use cases but for now I think you’re better creating your own role or running flow.deploy without a custom image.

Ah, ok, thank you so much for taking the time to look into my question 👍 Have a nice weekend 👋

Thank you. You too!

Hey all, it feels a bit silly, but I have to ask again, sorry 😅 I am still trying to get the --provision-infra option for ecs:push work pools to work ... What I tried: ( - pushing the docker image to ecr (private) -> Error: Fargate requires task definition to have execution role ARN to support ECR images.) • pushing the docker image to ecr public:

Flow run could not be submitted to infrastructure: TaskFailedToStart - CannotPullContainerError: pull image manifest has been retried 5 time(s): failed to resolve ref public.ecr.aws/r1j4r6c7/prefect_ecr:my-custom-build: failed to do request: Head "<https://public.ecr.aws/v2/r1j4r6c7/prefect_ecr/manifests/my-custom-build>": dial tcp 99.83.145.10:443: i/o timeout

• pushing the image to DockerHub (public):

Flow run could not be submitted to infrastructure: TaskFailedToStart - CannotPullContainerError: pull image manifest has been retried 5 time(s): failed to resolve ref docker.io/my-user/dataflow_test:my-custom-build: failed to do request: Head "<https://registry-1.docker.io/v2/my-user/dataflow_test/manifests/my-custom-build>": dial tcp 54.227.20.253:443: i/o timeout

what do you mean by "aimed at helping users get started with our public docker images", what am I doing wrong? I think the inet gateway should be assigned, so why does it have no access? Since the infrastructure gets created by prefect, I am not aware of what I could have done wrong ... how do you deploy your flow to the provision-infra work pool (and where do you push the image)?

I'm having the same issue here. Anyone have luck getting a push pool task on ECS to use an image from ECR?

Hi Mira! Sorry to hear you’re still struggling. It looks like you have a connectivity error there along with the permissions one for ECR. For using ECR, we have a PR up that’s aimed at helping: https://github.com/PrefectHQ/prefect/pull/11382 That’s only available on main for now but look out for more details in upcoming releases. I’d love to have you come back and tell us if it helps you.

@mira Support for creating an ECR registry is available in 2.14.11! You can run

prefect work-pool provision-infra

for your existing work pool and it will create an ECR repository that is fully set up to use with a ECS push work pool. Let me know if you run into any issues with it!

Hey @alex, very cool 👍, thank you for notifying me ! I found also the new docs on this, thanks a lot!