Bring your towel and join one of the fastest growing data communities. Welcome to our second-generation open source orchestration platform, a completely rethought approach to dataflow automation.

Prefect Community

Does someone have the policy definition an ECS Agent itself requires?

Just had mine fall over because it needed to Describe VPCs, would be handy to just give it all the permissions it needs than doing them 1 by 1 :smile:

Unfortunately this is still an open issue <https://github.com/PrefectHQ/prefect/issues/4244>

So is it known what permissions are required?

I'm happy to raise a PR if the permissions are known to contribute to the docs

But there's a big gap missing at the mo :sweat_smile:

&gt;  Here are the permissions that we use for ESC/Fargate. Our agent (0.14.6) has the following permissions to use boto3 for submitting tasks - AmazonS3FullAccess and AmazonECSFull Access. Our task_run_arn has the following permissions: AmazonS3FullAccess and AmazonEC2ContainerRegistryFullAccess. Our execution_run_arn has AmazonEcsTaskExecutionRole.
&gt; 
&gt; It could be that we’re too lenient on permissions and could scale them back - its on our todo list but this got us unblocked. HTH.

I don't have a list of required permissions :confused:

I'd assumed providing the Agent, there'd be a list squirrelled away somewhere haha

Yeah I think that when it was developed they just used an account with full access to simplify their work

Blanket ECS access is probably okay for now, but in a production env that's not the nicest :confused:

You can try pinging Ale at <https://prefect-community.slack.com/archives/C014Z8DPDSR/p1615489021041700>

It's been two weeks and they also said they'd PR it when they had time

No worries, thanks for the update <@U01CEUST9B5> :smile: I'll message them!

Our usecase is just more open to the public so I'd rather not let anyone just blow through a credit card limit :party-parrot: