ale
10/05/2020, 1:49 PMFargateTaskEnvironment(
taskRoleArn=ETL_TASK_ROLE_ARN, # ARN of the task role
executionRoleArn=ETL_EXECUTION_ROLE_ARN # ARN of the execution role
)
But I get the following error back from the Agent:
An error occurred (ClientException) when calling the RegisterTaskDefinition operation: Fargate requires task definition to have execution role ARN to support ECR images
Any suggestions?Spencer
10/05/2020, 2:36 PMale
10/05/2020, 2:51 PM{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
- Sid: ResourceAllItems
Effect: Allow
Action:
- tag:Get*
- logs:PutLogEvents
- logs:CreateLogStream
- logs:CreateLogGroup
- events:PutTargets
- events:PutRule
- events:DescribeRule
- ecs:StopTask
- ecs:RegisterTaskDefinition
- ecs:Describe*
- ecr:GetDownloadUrlForLayer
- ecr:GetAuthorizationToken
- ecr:BatchGetImage
- ecr:BatchCheckLayerAvailability
- ec2:DescribeSubnets
Resource: '*'
Spencer
10/05/2020, 3:01 PMexecutionRoleArn
has been given to the agent's configuration? (This is different from the executionRoleArn
used to run the agent, if running it on Fargate)\ale
10/05/2020, 3:14 PMSpencer
10/05/2020, 3:21 PMale
10/05/2020, 3:25 PM# Prefect Fargate Agent
rAgentTaskRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: 'Allow'
Principal:
Service: ['<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>']
Action: ['sts:AssumeRole']
Path: /
rAgentTaskRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ResourceAllItems
Effect: Allow
Action:
- tag:Get*
- logs:PutLogEvents
- logs:CreateLogStream
- logs:CreateLogGroup
- events:PutTargets
- events:PutRule
- events:DescribeRule
- ecs:StopTask
- ecs:RegisterTaskDefinition
- ecs:Describe*
- ecr:GetDownloadUrlForLayer
- ecr:GetAuthorizationToken
- ecr:BatchGetImage
- ecr:BatchCheckLayerAvailability
- ec2:DescribeSubnets
Resource: '*'
- Sid: EcsTaskRun
Effect: Allow
Action: ecs:RunTask
Resource: !Sub arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*
Condition:
ForAllValues:StringEquals:
aws:TagKeys:
- PrefectFlowVersion
- PrefectFlowId
- Sid: IamPassRole
Effect: Allow
Action: iam:PassRole
Resource: '*'
Roles:
- !Ref rAgentTaskRole
rAgentTaskDefinition:
Type: 'AWS::ECS::TaskDefinition'
Metadata:
cfn-lint:
config:
ignore_checks:
- E1029
Properties:
TaskRoleArn: !Ref 'rAgentTaskRole'
Family: !Sub '${pEnvironment}-prefect-agent'
ContainerDefinitions:
- Name: 'agent'
Essential: true
Command: ['prefect', 'agent', 'start', 'fargate', '--verbose', 'enable_task_revisions=true']
Image: !Sub
- 'prefecthq/prefect:${version}'
- version: !If [ cIsPrefectServerVersionLatest, 'all_extras', !Sub 'all_extras-${pPrefectServerVersion}' ]
MemoryReservation: 128
Environment:
- Name: PREFECT__CLOUD__API
Value: '<obfuscated>'
- Name: PREFECT__BACKEND
Value: 'server'
- Name: REGION_NAME
Value: !Ref AWS::Region
- Name: networkConfiguration
Value: !Sub
- '{"awsvpcConfiguration": {"assignPublicIp": "ENABLED", "subnets": ["${subnets}"], "securityGroups": ["${securityGroups}"]}}'
- subnets: !Join ['","', !Ref pFargateSubnetIds]
securityGroups: !Join ['","', !Ref pFargateSecurityGroupIds]
- Name: cpu
Value: 256
- Name: memory
Value: 1024
LogConfiguration:
LogDriver: 'awslogs'
Options:
awslogs-group: !Ref 'rAppLogsGroup'
awslogs-region: !Ref 'AWS::Region'
awslogs-stream-prefix: 'prefect-agent'
Tags:
- Key: 'Name'
Value: !Sub '${pEnvironment}-prefect-agent'
- Key: 'ApplicationVersion'
Value: !Ref 'pApplicationVersion'
rAgentEcsService:
Type: 'AWS::ECS::Service'
Properties:
Cluster: !Ref 'pEcsCluster'
DesiredCount: 1
TaskDefinition: !Ref 'rAgentTaskDefinition'
PropagateTags: 'TASK_DEFINITION'
EnableECSManagedTags: true
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 100
PlacementStrategies:
- Type: 'spread'
Field: 'attribute:ecs.availability-zone'
Tags:
- Key: 'Name'
Value: !Sub '${pEnvironment}-prefect-agent'
- Key: 'ApplicationVersion'
Value: !Ref 'pApplicationVersion'
Spencer
10/05/2020, 3:29 PMale
10/05/2020, 3:46 PMSpencer
10/05/2020, 5:13 PMale
10/05/2020, 6:46 PMGiacomo Consonni
10/05/2020, 8:21 PMrExecutionRole:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
AssumeRolePolicyDocument:
Statement:
- Effect: 'Allow'
Principal:
Service: ['<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>']
Action: ['sts:AssumeRole']
Path: /
The AmazonECSTaskExecutionRolePolicy
grant these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
Starting a flow results in this error:
An error occurred (ClientException) when calling the RegisterTaskDefinition operation: Fargate requires task definition to have execution role ARN to support ECR images.
Looking at Cloudtrail the only thing I can see is:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAWENMXISUN465BMEDP:b52b5f006e154dc7afdda3f63c7c2861",
"arn": "arn:aws:sts::421805900968:assumed-role/stage-safelake-etl-rAgentTaskRole-1JTX5S73405MQ/b52b5f006e154dc7afdda3f63c7c2861",
"accountId": "421805900968",
"accessKeyId": "ASIAWENMXISUJJFUMP5K",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAWENMXISUN465BMEDP",
"arn": "arn:aws:iam::421805900968:role/stage-safelake-etl-rAgentTaskRole-1JTX5S73405MQ",
"accountId": "421805900968",
"userName": "stage-safelake-etl-rAgentTaskRole-1JTX5S73405MQ"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-10-05T16:05:00Z"
}
}
},
"eventTime": "2020-10-05T20:12:16Z",
"eventSource": "<http://ecs.amazonaws.com|ecs.amazonaws.com>",
"eventName": "RegisterTaskDefinition",
"awsRegion": "us-west-2",
"sourceIPAddress": "52.39.51.8",
"userAgent": "Boto3/1.15.7 Python/3.8.6 Linux/4.14.193-149.317.amzn2.x86_64 exec-env/AWS_ECS_EC2 Botocore/1.18.7",
"errorCode": "ClientException",
"errorMessage": "Fargate requires task definition to have execution role ARN to support ECR images.",
"requestParameters": null,
"responseElements": null,
"requestID": "29e54079-7894-4709-86c7-20961d1135e4",
"eventID": "42558309-7e3b-4990-8f8e-116e5e73b3ee",
"eventType": "AwsApiCall",
"recipientAccountId": "421805900968"
}
But I can't find any call to the RunTask API. It seems to me that during the registration phase of the task neither e execution role arn and task role arn are correctly registered in the flow defintion.
This is the registration scriptimport os
import prefect
from prefect import Flow
from prefect.environments.storage import Docker
from prefect.environments.execution import FargateTaskEnvironment
from slugify import slugify
ETL_FLOW_NAME = os.environ["ETL_FLOW_NAME"]
ETL_IMAGE_NAME = os.environ["ETL_IMAGE_NAME"]
ETL_IMAGE_TAG = os.environ["ETL_IMAGE_TAG"]
ETL_PROJECT_NAME = os.environ["ETL_PROJECT_NAME"]
ETL_TASK_ROLE_ARN = os.environ["ETL_TASK_ROLE_ARN"]
ETL_EXECUTION_ROLE_ARN = os.environ["ETL_EXECUTION_ROLE_ARN"]
storage = Docker(
image_name=ETL_IMAGE_NAME,
image_tag=ETL_IMAGE_TAG
)
environment = FargateTaskEnvironment(
cpu="256",
memory="512",
taskRoleArn=ETL_TASK_ROLE_ARN,
executionRoleArn=ETL_EXECUTION_ROLE_ARN,
)
def main():
flow = Flow.load(fpath=f"{prefect.context.config.home_dir}/flows/{slugify(ETL_FLOW_NAME)}.prefect")
flow.environment = environment
flow.storage = storage
storage.add_flow(flow=flow)
flow.register(
project_name=ETL_PROJECT_NAME,
build=False
)
if __name__ == '__main__':
main()
Spencer
10/05/2020, 8:22 PMGiacomo Consonni
10/05/2020, 8:22 PMSpencer
10/05/2020, 8:27 PMGiacomo Consonni
10/05/2020, 8:30 PMrAgentTaskDefinition:
Type: 'AWS::ECS::TaskDefinition'
Metadata:
cfn-lint:
config:
ignore_checks:
- E1029
Properties:
TaskRoleArn: !Ref 'rAgentTaskRole'
ExecutionRoleArn: !GetAtt 'rExecutionRole.Arn'
Family: !Sub '${pEnvironment}-prefect-agent'
ContainerDefinitions:
- Name: 'agent'
Essential: true
Command: ['prefect', 'agent', 'start', 'fargate', '--verbose', 'enable_task_revisions=true']
Image: !Sub
- 'prefecthq/prefect:${version}'
- version: !If [ cIsPrefectServerVersionLatest, 'all_extras', !Sub 'all_extras-${pPrefectServerVersion}' ]
MemoryReservation: 128
Environment:
- Name: PREFECT__CLOUD__API
Value: '<https://apollo-prefect-server.srv-stage.cloudacademy.xyz/graphql>'
- Name: PREFECT__BACKEND
Value: 'server'
- Name: REGION_NAME
Value: !Ref AWS::Region
- Name: executionRoleArn
Value: !GetAtt 'rExecutionRole.Arn'
- Name: networkConfiguration
Value: !Sub
- '{"awsvpcConfiguration": {"assignPublicIp": "ENABLED", "subnets": ["${subnets}"], "securityGroups": ["${securityGroups}"]}}'
- subnets: !Join ['","', !Ref pFargateSubnetIds]
securityGroups: !Join ['","', !Ref pFargateSecurityGroupIds]
- Name: cpu
Value: 256
- Name: memory
Value: 512
LogConfiguration:
LogDriver: 'awslogs'
Options:
awslogs-group: !Ref 'rAppLogsGroup'
awslogs-region: !Ref 'AWS::Region'
awslogs-stream-prefix: 'prefect-agent'
I added the executionRoleArn
environment variable with value the same of the execution role arn assumed by the agent task. Should I add also the taskRoleArn?Spencer
10/05/2020, 8:40 PMGiacomo Consonni
10/05/2020, 8:41 PMFargateTaskEnvironment
handle the 2 parameters: taskRoleArn
and executionRoleArn
but are they useless?Spencer
10/05/2020, 8:41 PMGiacomo Consonni
10/05/2020, 8:43 PMSpencer
10/05/2020, 8:43 PMecs:RegisterTaskDefinition
and ecs:RunTask
Giacomo Consonni
10/05/2020, 8:50 PM