Payam K

    Payam K

    10 months ago
    Hello All. I get this error in Prefect UI. I am trying to run a job in Fargate and use a custom image in ECR An error occurred (ClientException) when calling the RegisterTaskDefinition operation: Fargate requires task definition to have execution role ARN to support ECR images.
    Anna Geller

    Anna Geller

    10 months ago
    Can you show your ECSRun definition? How do you start your ECS agent - as an ECS service in-cluster or in some other way?
    Payam K

    Payam K

    10 months ago
    ''' RUN_CONFIG = ECSRun(     labels=["prod"],     task_role_arn="arn:aws:iam::<accountnum>:role/prefectTaskRole",     run_task_kwargs=dict(cluster="prefect-cluster", launchType="FARGATE",),     image="xxxxx.dkr.ecr.us-east-1.amazonaws.com/prefect-custom-image" ) '''
    I start my ECS agent as an ECS service in cluster
    Anna Geller

    Anna Geller

    10 months ago
    nice! based on the error message you shared, it looks like the execution role doesn’t have access to ECR - can you share your IAM policy you used as the execution role?
    Payam K

    Payam K

    10 months ago
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2😄escribeNetworkInterfaces", "ec2😄escribeSecurityGroups", "ec2😄escribeSubnets", "ec2😄escribeVpcs", "ec2😄eleteSecurityGroup", "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecs:CreateCluster", "ecs😄eleteCluster", "ecs😄eregisterTaskDefinition", "ecs😄escribeClusters", "ecs😄escribeTaskDefinition", "ecs😄escribeTasks", "ecs:ListAccountSettings", "ecs:ListClusters", "ecs:ListTaskDefinitions", "ecs:RegisterTaskDefinition", "ecs:RunTask", "ecs:StopTask", "iam😛assRole", "logs:CreateLogStream", "logs😛utLogEvents", "logs😄escribeLogGroups", "logs:GetLogEvents" ], "Resource": "*" } ] }
    prefectTaskRolePolicy
    Anna Geller

    Anna Geller

    10 months ago
    I think this is the Task Role. In your Task execution role, I think the ECR access is missing. I will try to build an example policy you can use
    Payam K

    Payam K

    10 months ago
    hmm, I missed it then
    thanks for the help in advance
    Anna Geller

    Anna Geller

    10 months ago
    if you have this in your Task Execution Role, then this should work
    Payam K

    Payam K

    10 months ago
    No, I don't have it
    {   "Version": "2012-10-17",   "Statement": [     {       "Effect": "Allow",       "Action": [         "ssm:GetParameters"       ],       "Resource": "*"     }   ] }
    I will add it
    Anna Geller

    Anna Geller

    10 months ago
    if you followed this demo, then you should have it already.
    Payam K

    Payam K

    10 months ago
    yeah, I used it. BTW, thanks for the outstanding article
    Anna Geller

    Anna Geller

    10 months ago
    thank you so much! Really curious about this error. Keep me posted once you know more, or share your traceback if you get another error
    Payam K

    Payam K

    10 months ago
    Sure, I am still getting error but let me know to double check it first
    Anna Geller

    Anna Geller

    10 months ago
    btw, you can also pass this explicitly to your ECSRun:
    execution_role_arn="arn:aws:iam::XXXXXX:role/prefectECSAgentTaskExecutionRole",
    Payam K

    Payam K

    10 months ago
    Hello. Adding the execusion role arn to ECRUN solved my issue
    Thank you