Hi, in the documentation for the ECS agent it's not clear what the configuration should be regarding security groups (or actually specific IAM permissions). I'm assuming you don't need to open the agent to the public internet and that it just polls Prefect Cloud, but it's not entirely clear; also, if anyone has a minimal set of IAM permissions I can apply to the task role, that would be great 🙂

Hi @Will. You can have a look at this ECSAgent walkthrough - it contains an example Task role and execution role that you can use. There is even a Github gist with AWS CLI commands to create all the required resources. When it comes to security groups, there are no ports that you need to explicitly open up because your agent service communicates to Prefect Cloud in one direction (due to the hybrid execution model).

Thanks Anna, that guide is very thorough and I've been referring to it already! Thanks for taking the time to write it up. So in that case, the security group I've set up will work fine 👍 Those permissions specified in the task role policy can be restricted somewhat depending on use case, eg. if you don't want prefect to handle creating a cluster; I'm wondering if there's anyone who does know the exact minimal set (which will obviously depend on what options you want to use when using

ECSRun

)

Good point, I got this from https://docs.prefect.io/orchestration/agents/ecs.html#execution-role-arn Many of the permissions listed in the documentation (such as the CreateCluster and DeleteCluster) are relevant if you want to use dask cloudprovider to spin up a temporary Dask cluster. But other permissions such as (de)register task definition are necessary.

I think the best resource I have for you in this comment on Github