Hi! I just tried to run prefect agentless on AWS E...
# ask-communityf
Fabian Brück
08/28/2021, 11:15 PMHi! I just tried to run prefect agentless on AWS ECS and s3 storage. For some reason boto3 cannot find any AWS credentials and it fails downloading flows from S3. When I run it locally with credentials as env variables it reports the token is expired. (which isn't true) Is that caused by being executed in a subprocess?
Thanks 🙂
Copy code
prefect run --name hello-world --execute
Looking up flow metadata... Done
Creating run for flow 'hello-world'... Done└── Name: malachite-lobster└── UUID: 381ad17b-e2d8-4e8b-84aa-ab880d2f0458└── Labels: ['agentless-run-149b4f62']
└── Parameters: {}
└── Context: {}
└── URL: <https://cloud.prefect.io/data-and-bi/flow-run/381ad17b-e2d8-4e8b-84aa-ab880d2f0458>
Executing flow run...
└── 01:11:26 | INFO | Creating subprocess to execute flow run...
└── 01:11:32 | INFO | Downloading flow from <s3://bucket/hello_world.py>
└── 01:11:32 | ERROR | Error downloading Flow from S3: An error occurred (ExpiredToken) when calling the GetObject operation: The provided token has expired.
An error occurred (ExpiredToken) when calling the GetObject operation: The provided token has expired.k
Kevin Kho
08/29/2021, 3:17 AM
Hey @Fabian Brück, I guess my thought would be that the Flow run is using some other set of credentials? Maybe you can more explicitly test this by spinning up an agent with env vars that match your local run and see if it downloads successfully?
f
Fabian Brück
08/29/2021, 8:45 AMHi @Kevin Kho
Thank you 🙂
I think you are right.
I tried to run a local agent and it worked. An ECS agent with the same configuration could pull flow runs too. I am not sure how to continue now.
Fabian Brück
08/29/2021, 8:56 AMThe local run tried to get default credentials from .aws that were expired. It did not pick up the ones provided as env variables. Here is a stack trace from a run without default credentials and a stack trace from a run on Fargate.
k
Kevin Kho
08/30/2021, 12:34 AM
Ah are you good now? Wouldn’t it be a matter of removing the expires credentials?
f
Fabian Brück
08/30/2021, 8:13 AMNow it cannot locate any credentials in both cases. It seems like agentless cannot pick up env variables or role credentials when run as ECS Task.
I wanted to test agentless execution triggered by CloudWatch events. So that we do not need to run an agent in each AWS account. In some accounts we just need a single flow. Is agentless supposed to be used in production at all?
z
Zanie
08/30/2021, 4:59 PM
Hi! I wrote agentless execution & I intended for it to be useful in production but did not try running things on ECS. Happy to try to sort out what's going on.
Zanie
08/30/2021, 5:00 PM
Are you just storing your credentials as environment variables?
Zanie
08/30/2021, 5:01 PM
I think the issue is we are creating a subprocess and not including local environment variables
Zanie
08/30/2021, 5:01 PM
I did this as a "safety-first" feature, prevent variables from being copied into your flow without permission.
Zanie
08/30/2021, 5:02 PM
However, I think that it would make sense to include them by default from the CLI.
Zanie
08/30/2021, 5:10 PM
f
Fabian Brück
08/30/2021, 8:27 PM@Zanie Awesome! Thanks for the fast response and proposed solution 🙂 Is the flag a cli parameter?
Fargate tasks do fetch their role specific credentials from a credential endpoint. THis uri is stored in an envirnment variable (
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI, <https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html>z
Zanie
08/30/2021, 8:49 PM
We'd just make this the default behavior for the CLI
❤️ 1
4 Views