Hi! We're setting up a push work pool on AWS, but are quite surprised that AmazonECS_FullAccess is required. Is there concrete list of permissions that are required?

You can see required ECS permissions on this page describing not only ECS permissions

I don't know how I missed that... I was looking at that document.

These permissions required depending on what you defined on work pool. If already has a ecs task execution role, you may not need to defined

iam:CreateUser

,

iam:CreatePolicy

. Likewise, if you already has ecs cluster, prefect will not require

ecs:CreateCluster

permission when running flows on the work pool. Note that the permissions on this page represent all the permissions you would have if you did no AWS setup at all.

Which are the permissions if I handle resource creation and just want the serverless worker functionality?

Are you referring to the resource running the ecs task ?

I'm referring to the execution of the Flow. Starting the Flow Run.

Well.. then you might have aws resources required to run ecs task execution. These permissions may be required. • ecs:StopTask • ecs:RunTask • ecs:ListTaskDefinitions • ecs:ListClusters • ecs:DescribeTasks • ecs:DescribeTaskDefinition • ecs:DescribeClusters These are the permissions I remember setting that I needed, but you should test them out by actually running the flow to see if you need them in your environment.

That's reasonable. I'll test them. Thank you.