https://prefect.io logo
Join Slack
Powered by
I've got a question about the ECS Agent documentat...
# ask-community
c
I've got a question about the ECS Agent documentation, in this section, there is a "Agent role policy" example, but there is no mention (I think) of where that gets used. The documentation only goes through the "execution role" and the "task role", where does "agent role" come into play?
a
Agree that this may be a bit confusing, happy to open a PR to clarify that in the docs. Agent Role Policy is a task role (IAM role) with a minimal set of permissions needed to deploy a flow run as an ECS task - to do that it needs permissions such as RegisterTaskDefinition and RunTask Then, in a separate tab there is a (badly formatted) task role description showing that for your specific flow runs, you may need a bit more than those minimal task role permissions e.g. if your flow needs access to S3 (say, because you use S3 storage and Prefect then needs permission to pull your flow from storage).
c
ok thanks, that makes sense!
could you explain a bit how this relates to the default secret 
AWS_CREDENTIALS
- is it assumed that the task role (above) is attached to the user that also has the keys defined in 
AWS_CREDENTIALS
?
a
If you are using Fargate with ECS agent, you can completely ignore 
AWS_CREDENTIALS
, since all permissions are defined as IAM roles. I think it’s mainly needed if you are e.g. using AWS tasks from the task library.
c
If I'm using boto3 within my code, does it get it's permissions from the IAM role then?
a
correct, it should! if it doesn’t, LMK and we can troubleshoot why
c
ok cool 🙂
a
But looking at this discussion I’m no longer that sure any more https://prefect-community.slack.com/archives/CL09KU1K7/p1643656589832509
c
back to the agent role policy above; does it get attached to the execution role or the task role?
k
Unless Anna corrects me, I think that is separate because the Agent makes a new Task and execution role and task role are for the new task while the Agent role is for the Agent Task. So it doesn’t inherently carry over and just needs the permissions to spin up the new tasks
a
agent role policy needs to be attached to the task role. Execution role is only to pull image from ECR and to log output to CloudWatch The agent’s task role and execution role are by default also used for the flow runs ECS tasks unless you explicitly overwrite those on the ECSRun
🏆 1
3 Views
Open in Slack
PreviousNext
Powered by