Hey folks :slightly_smiling_face: I've started ex...
# prefect-server
a
Hey folks 🙂 I've started experimenting with ECS agent to replace our current Fargate agent, but I'm having issues with AWS permissions. Is there a place where I can find the minimum set of permissions that an ECS agent needs to successfully deploy a flow as an ECS task?
z
Hmm I know this was recently added in https://github.com/PrefectHQ/prefect/pull/4111/files
Not sure where this is hiding in the live docs -.-
a
Thanks @Zanie simple smile
z
It sounds like this isn't actually documented after talking to Jim, he thinks something like
ECS register, deregister, and run tasks, and some EC2 calls by default to infer things about the vpc/subnets (describe vpcs, describe subnets)
If you're running an older version there may be more since we recently reduced the required permissions
a
We’re still on 0.13.13 with Fargate Agent but we definitely want to upgrade to a more recent version and use ECS Agent
But as I said, it’s a bit difficult to get a working agent due to lack of docs regarding required permissions. Lots of trials and errors 🙂
z
We'd happily accept a PR improving it 😄 it's on the to-do list for sure.
@Marvin open "Document
ECSAgent
required IAM permissions"
a
Once I get a full understanding of ECS agent permissions for AWS I'm going to write some docs and submit a PR
r
Here are the permissions that we use for ESC/Fargate. Our agent (0.14.6) has the following permissions to use boto3 for submitting tasks - AmazonS3FullAccess and AmazonECSFull Access. Our task_run_arn has the following permissions: AmazonS3FullAccess and AmazonEC2ContainerRegistryFullAccess. Our execution_run_arn has AmazonEcsTaskExecutionRole. It could be that we’re too lenient on permissions and could scale them back - its on our todo list but this got us unblocked. HTH.
c
Hey @ale did you get a chance to figure out the full 'minimum' permissions needed?
a
Hey @ciaran simple smile Not yet, unfortunately
c
Oh 😭 No worries, are you just going with the full ecs access at the mo?
a
Nope, we just postponed the Prefect Server upgrade and sticked with
0.13.13
😅
r
Hello @ciaran @ale. I have given
ecs:*
permissions to my ECSAgent and I have checked CloudTrail logs to find out which actions is the agent performing. This is my current policy:
Copy code
{
  "Statement": [
    {
      "Action": [
        "ecs:RunTask",
        "ecs:RegisterTaskDefinition",
        "ecs:DeregisterTaskDefinition"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "iam:PassRole",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iam::4XXXXX:role/PrefectFlowStagingTaskRole",
        "arn:aws:iam::4XXXXX:role/PrefectFlowStagingTaskExecutionRole"
      ]
    }
  ],
  "Version": "2012-10-17"
}
Where
PrefectFlowStagingTaskRole
and
PrefectFlowStagingTaskExecutionRole
are the roles that the agent passes to the deployed task on Fargate.
a
Thanks a lot @Roger L.!!!
r
Btw I am checking this comment from potter420: https://github.com/PrefectHQ/prefect/pull/4302
c
@Roger L. Nice one! 🦜 Cloud trail is a great shout
r
I might be missing something like
"ecs:StopTask"
, but hope it helps guys. I am still on it 😛
c
Certainly a great starting point thanks!
r
You are welcome 🙂
c
@Roger L. out of interest, how're you deploying this all? I'd love to pick folk's brains about automated Prefect cluster deployment on AWS, it's something we're working on at the mo
a
We’re using CloudFormation for provisioning all the required resources. Prefect Server + UI + Agents are all part of an ECS service
z
c
Cool, we're using CDK over on the pangeo-forge project, so I guess just CFN in the end too
r
We are using Prefect Cloud, our agents are dockerized and run on fargate. The IaC is managed with Terraform.
✅ 1