Hello All. I get this error in Prefect UI. I am tr...
# ask-communityp
Payam K
10/29/2021, 8:00 PMHello All. I get this error in Prefect UI. I am trying to run a job in Fargate and use a custom image in ECR
An error occurred (ClientException) when calling the RegisterTaskDefinition operation: Fargate requires task definition to have execution role ARN to support ECR images.
a
Anna Geller
10/29/2021, 8:03 PM
Can you show your ECSRun definition? How do you start your ECS agent - as an ECS service in-cluster or in some other way?
p
Payam K
10/29/2021, 8:05 PM'''
RUN_CONFIG = ECSRun(
labels=["prod"],
task_role_arn="arnawsiam:<accountnum>role/prefectTaskRole",
run_task_kwargs=dict(cluster="prefect-cluster", launchType="FARGATE",),
image="xxxxx.dkr.ecr.us-east-1.amazonaws.com/prefect-custom-image"
)
'''
Payam K
10/29/2021, 8:06 PMI start my ECS agent as an ECS service in cluster
Payam K
10/29/2021, 8:07 PMa
Anna Geller
10/29/2021, 8:08 PM
nice! based on the error message you shared, it looks like the execution role doesn’t have access to ECR - can you share your IAM policy you used as the execution role?
p
Payam K
10/29/2021, 8:12 PM Copy code
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DeleteSecurityGroup",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecs:CreateCluster",
"ecs:DeleteCluster",
"ecs:DeregisterTaskDefinition",
"ecs:DescribeClusters",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListAccountSettings",
"ecs:ListClusters",
"ecs:ListTaskDefinitions",
"ecs:RegisterTaskDefinition",
"ecs:RunTask",
"ecs:StopTask",
"iam:PassRole",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogGroups",
"logs:GetLogEvents"
],
"Resource": "*"
}
]
}Payam K
10/29/2021, 8:12 PMprefectTaskRolePolicy
a
Anna Geller
10/29/2021, 8:13 PM
I think this is the Task Role. In your Task execution role, I think the ECR access is missing. I will try to build an example policy you can use
p
Payam K
10/29/2021, 8:14 PMhmm, I missed it then
Payam K
10/29/2021, 8:14 PMthanks for the help in advance
a
Anna Geller
10/29/2021, 8:15 PM
if you have this in your Task Execution Role, then this should work
p
Payam K
10/29/2021, 8:16 PMNo, I don't have it
Payam K
10/29/2021, 8:16 PM{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": "*"
}
]
}
Payam K
10/29/2021, 8:16 PMI will add it
a
Anna Geller
10/29/2021, 8:18 PM
if you followed this demo, then you should have it already.
p
Payam K
10/29/2021, 8:23 PMyeah, I used it. BTW, thanks for the outstanding article
a
Anna Geller
10/29/2021, 8:25 PM
thank you so much! Really curious about this error. Keep me posted once you know more, or share your traceback if you get another error
p
Payam K
10/29/2021, 8:26 PMSure, I am still getting error but let me know to double check it first
a
Anna Geller
10/29/2021, 9:46 PM
btw, you can also pass this explicitly to your ECSRun:
Copy code
execution_role_arn="arn:aws:iam::XXXXXX:role/prefectECSAgentTaskExecutionRole",p
Payam K
10/29/2021, 11:38 PMHello. Adding the execusion role arn to ECRUN solved my issue
👍 1
Payam K
10/29/2021, 11:38 PMThank you
11 Views