Hi All, I am trying to determine what AWS IAM policies are required for running flows as ECS tasks. ...

Jan Marais

02/02/2021, 5:43 PM

Hi All, I am trying to determine what AWS IAM policies are required for running flows as ECS tasks. If my flow storage is in S3 where would I assign the appropriate role so that the ECSAgent can read them? These are the places I can think of: • on the server running

prefect agent ecs start

with any of the aws cli ways • setting

task_role_arn

on either agent start or

ECSRun

• setting

execution_role_arn

on either agent start or

ECSRun

• In the task container Any insight on the differences of these would also be appreciated.

Jim Crist-Harif

02/02/2021, 5:45 PM

You'd set

task_role_arn

either on the agent (default for all flow runs started by the agent) or as part of

ECSRun

Jim Crist-Harif

02/02/2021, 5:46 PM

The difference between

task_role_arn

and

execution_role_arn

is a bit confusing. Task roles are for assigning IAM policies to things the task can do once it starts (e.g. pull from S3). Execution roles are for things AWS needs to start the container (e.g. pull an image from ECR).

✅ 1

Jan Marais

02/02/2021, 5:46 PM

Thanks for the speedy reply!

Jan Marais

02/02/2021, 5:47 PM

Understood. Thank you for taking the time to explain

Jan Marais

02/02/2021, 6:06 PM

Success!

upvote 1

Jim Crist-Harif

02/02/2021, 6:09 PM

Glad to hear it!

Open in Slack

Previous Next

Prefect Community

Bring your towel and join one of the fastest growing data communities. Welcome to our second-generation open source orchestration platform, a completely rethought approach to dataflow automation.