Bring your towel and join one of the fastest growing data communities. Welcome to our second-generation open source orchestration platform, a completely rethought approach to dataflow automation.

Prefect Community

Hi All, I am trying to determine what AWS IAM policies are required for running flows as ECS tasks. If my flow storage is in S3 where would I assign the appropriate role so that the ECSAgent can read them? These are the places I can think of:
• on the server running `prefect agent ecs start` with any of the aws cli ways
• setting `task_role_arn` on either agent start or `ECSRun`
• setting `execution_role_arn` on either agent start or `ECSRun` 
• In the task container
Any insight on the differences of these would also be appreciated.

You'd set `task_role_arn` either on the agent (default for all flow runs started by the agent)  or as part of `ECSRun`.

The difference between `task_role_arn` and `execution_role_arn` is a bit confusing. Task roles are for assigning IAM policies to things the task can do once it starts (e.g. pull from S3). Execution roles are for things AWS needs to start the container (e.g. pull an image from ECR).

Understood. Thank you for taking the time to explain