Renzo Becerra
03/19/2021, 6:44 PMprefect agent ecs start --cluster my-cluster-arn --launch-type EC2
botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the RegisterTaskDefinition operation: User: arn:aws:iam::**********:user/********* is not authorized to perform: ecs:RegisterTaskDefinition on resource: *
nicholas
03/19/2021, 6:48 PMecs:RegisterTaskDefinition
permissions.Renzo Becerra
03/19/2021, 6:50 PMMariia Kerimova
03/19/2021, 7:43 PMRenzo Becerra
03/19/2021, 7:48 PMnicholas
03/23/2021, 4:41 PMRenzo Becerra
03/23/2021, 4:49 PMnicholas
03/23/2021, 4:50 PMMariia Kerimova
03/23/2021, 11:23 PMecs:RegisterTaskDefinition
can’t be set only on specific cluster. You might have to set conditions like here:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ecs:PutAttributes",
"ecs:ListAttributes",
"ecs:UpdateContainerInstancesState",
"ecs:StartTask",
"ecs:RegisterContainerInstance",
"ecs:DeleteAttributes",
"ecs:DescribeTaskSets",
"ecs:DeleteCapacityProvider",
"ecs:SubmitAttachmentStateChanges",
"ecs:Poll",
"ecs:UpdateService",
"ecs:DescribeCapacityProviders",
"ecs:CreateService",
"ecs:RunTask",
"ecs:ListTasks",
"ecs:StopTask",
"ecs:DescribeServices",
"ecs:SubmitContainerStateChange",
"ecs:DescribeContainerInstances",
"ecs:DeregisterContainerInstance",
"ecs:TagResource",
"ecs:DescribeTasks",
"ecs:UntagResource",
"ecs:PutClusterCapacityProviders",
"ecs:UpdateTaskSet",
"ecs:SubmitTaskStateChange",
"ecs:UpdateClusterSettings",
"ecs:DeleteService",
"ecs:DeleteCluster",
"ecs:DeleteTaskSet",
"ecs:DescribeClusters",
"ecs:ListTagsForResource",
"ecs:StartTelemetrySession",
"ecs:UpdateContainerAgent",
"ecs:ListContainerInstances",
"ecs:UpdateServicePrimaryTaskSet"
],
"Resource": [
"arn:aws:ecs:us-east-1:<account>:cluster/<cluster_name>",
"arn:aws:ecs:us-east-1:<account>:task-definition/prefect-<flow_name>:*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ecs:DiscoverPollEndpoint",
"ecs:PutAccountSettingDefault",
"ecs:CreateCluster",
"ecs:DescribeTaskDefinition",
"ecs:PutAccountSetting",
"ecs:ListServices",
"ecs:CreateCapacityProvider",
"ecs:DeregisterTaskDefinition",
"ecs:ListAccountSettings",
"ecs:DeleteAccountSetting",
"ecs:ListTaskDefinitionFamilies",
"ecs:RegisterTaskDefinition",
"ecs:ListTaskDefinitions",
"ecs:CreateTaskSet",
"ecs:ListClusters"
],
"Condition": {
"StringLike": {
"aws:TagKeys": [
"prefect:flow-id"
]
}
}
}
]
}
In short, you need to update the policy, and it should solve the issue. Also, you can find additional information in AWS documentationRenzo Becerra
03/23/2021, 11:29 PMMariia Kerimova
03/23/2021, 11:39 PMRenzo Becerra
03/25/2021, 3:47 PMMariia Kerimova
03/26/2021, 6:20 PM{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DeleteSecurityGroup",
"ecs:CreateCluster",
"ecs:DeleteCluster",
"ecs:DeregisterTaskDefinition",
"ecs:DescribeClusters",
"ecs:DescribeTaskDefinition",
"ecs:DescribeTasks",
"ecs:ListAccountSettings",
"ecs:ListClusters",
"ecs:ListTaskDefinitions",
"ecs:RegisterTaskDefinition",
"ecs:RunTask",
"ecs:StopTask",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListRoleTags",
"iam:TagRole",
"logs:DescribeLogGroups",
"logs:GetLogEvents"
],
"Resource": "*"
}
}