ale
10/05/2020, 1:49 PMFargateTaskEnvironment(
taskRoleArn=ETL_TASK_ROLE_ARN, # ARN of the task role
executionRoleArn=ETL_EXECUTION_ROLE_ARN # ARN of the execution role
)
But I get the following error back from the Agent:
An error occurred (ClientException) when calling the RegisterTaskDefinition operation: Fargate requires task definition to have execution role ARN to support ECR images
Any suggestions?Spencer
10/05/2020, 2:36 PMale
10/05/2020, 2:51 PM{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
ale
10/05/2020, 2:55 PM- Sid: ResourceAllItems
Effect: Allow
Action:
- tag:Get*
- logs:PutLogEvents
- logs:CreateLogStream
- logs:CreateLogGroup
- events:PutTargets
- events:PutRule
- events:DescribeRule
- ecs:StopTask
- ecs:RegisterTaskDefinition
- ecs:Describe*
- ecr:GetDownloadUrlForLayer
- ecr:GetAuthorizationToken
- ecr:BatchGetImage
- ecr:BatchCheckLayerAvailability
- ec2:DescribeSubnets
Resource: '*'
Spencer
10/05/2020, 3:01 PMSpencer
10/05/2020, 3:01 PMexecutionRoleArn
has been given to the agent's configuration? (This is different from the executionRoleArn
used to run the agent, if running it on Fargate)\ale
10/05/2020, 3:14 PMale
10/05/2020, 3:17 PMSpencer
10/05/2020, 3:21 PMale
10/05/2020, 3:25 PM# Prefect Fargate Agent
rAgentTaskRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: 'Allow'
Principal:
Service: ['<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>']
Action: ['sts:AssumeRole']
Path: /
rAgentTaskRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: ResourceAllItems
Effect: Allow
Action:
- tag:Get*
- logs:PutLogEvents
- logs:CreateLogStream
- logs:CreateLogGroup
- events:PutTargets
- events:PutRule
- events:DescribeRule
- ecs:StopTask
- ecs:RegisterTaskDefinition
- ecs:Describe*
- ecr:GetDownloadUrlForLayer
- ecr:GetAuthorizationToken
- ecr:BatchGetImage
- ecr:BatchCheckLayerAvailability
- ec2:DescribeSubnets
Resource: '*'
- Sid: EcsTaskRun
Effect: Allow
Action: ecs:RunTask
Resource: !Sub arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:task-definition/*
Condition:
ForAllValues:StringEquals:
aws:TagKeys:
- PrefectFlowVersion
- PrefectFlowId
- Sid: IamPassRole
Effect: Allow
Action: iam:PassRole
Resource: '*'
Roles:
- !Ref rAgentTaskRole
rAgentTaskDefinition:
Type: 'AWS::ECS::TaskDefinition'
Metadata:
cfn-lint:
config:
ignore_checks:
- E1029
Properties:
TaskRoleArn: !Ref 'rAgentTaskRole'
Family: !Sub '${pEnvironment}-prefect-agent'
ContainerDefinitions:
- Name: 'agent'
Essential: true
Command: ['prefect', 'agent', 'start', 'fargate', '--verbose', 'enable_task_revisions=true']
Image: !Sub
- 'prefecthq/prefect:${version}'
- version: !If [ cIsPrefectServerVersionLatest, 'all_extras', !Sub 'all_extras-${pPrefectServerVersion}' ]
MemoryReservation: 128
Environment:
- Name: PREFECT__CLOUD__API
Value: '<obfuscated>'
- Name: PREFECT__BACKEND
Value: 'server'
- Name: REGION_NAME
Value: !Ref AWS::Region
- Name: networkConfiguration
Value: !Sub
- '{"awsvpcConfiguration": {"assignPublicIp": "ENABLED", "subnets": ["${subnets}"], "securityGroups": ["${securityGroups}"]}}'
- subnets: !Join ['","', !Ref pFargateSubnetIds]
securityGroups: !Join ['","', !Ref pFargateSecurityGroupIds]
- Name: cpu
Value: 256
- Name: memory
Value: 1024
LogConfiguration:
LogDriver: 'awslogs'
Options:
awslogs-group: !Ref 'rAppLogsGroup'
awslogs-region: !Ref 'AWS::Region'
awslogs-stream-prefix: 'prefect-agent'
Tags:
- Key: 'Name'
Value: !Sub '${pEnvironment}-prefect-agent'
- Key: 'ApplicationVersion'
Value: !Ref 'pApplicationVersion'
rAgentEcsService:
Type: 'AWS::ECS::Service'
Properties:
Cluster: !Ref 'pEcsCluster'
DesiredCount: 1
TaskDefinition: !Ref 'rAgentTaskDefinition'
PropagateTags: 'TASK_DEFINITION'
EnableECSManagedTags: true
DeploymentConfiguration:
MaximumPercent: 200
MinimumHealthyPercent: 100
PlacementStrategies:
- Type: 'spread'
Field: 'attribute:ecs.availability-zone'
Tags:
- Key: 'Name'
Value: !Sub '${pEnvironment}-prefect-agent'
- Key: 'ApplicationVersion'
Value: !Ref 'pApplicationVersion'
Spencer
10/05/2020, 3:29 PMSpencer
10/05/2020, 3:34 PMale
10/05/2020, 3:46 PMale
10/05/2020, 3:53 PMale
10/05/2020, 5:09 PMSpencer
10/05/2020, 5:13 PMale
10/05/2020, 6:46 PMGiacomo Consonni
10/05/2020, 8:21 PMrExecutionRole:
Type: 'AWS::IAM::Role'
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
AssumeRolePolicyDocument:
Statement:
- Effect: 'Allow'
Principal:
Service: ['<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>']
Action: ['sts:AssumeRole']
Path: /
The AmazonECSTaskExecutionRolePolicy
grant these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
]
}
Starting a flow results in this error:
An error occurred (ClientException) when calling the RegisterTaskDefinition operation: Fargate requires task definition to have execution role ARN to support ECR images.
Looking at Cloudtrail the only thing I can see is:
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAWENMXISUN465BMEDP:b52b5f006e154dc7afdda3f63c7c2861",
"arn": "arn:aws:sts::421805900968:assumed-role/stage-safelake-etl-rAgentTaskRole-1JTX5S73405MQ/b52b5f006e154dc7afdda3f63c7c2861",
"accountId": "421805900968",
"accessKeyId": "ASIAWENMXISUJJFUMP5K",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAWENMXISUN465BMEDP",
"arn": "arn:aws:iam::421805900968:role/stage-safelake-etl-rAgentTaskRole-1JTX5S73405MQ",
"accountId": "421805900968",
"userName": "stage-safelake-etl-rAgentTaskRole-1JTX5S73405MQ"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-10-05T16:05:00Z"
}
}
},
"eventTime": "2020-10-05T20:12:16Z",
"eventSource": "<http://ecs.amazonaws.com|ecs.amazonaws.com>",
"eventName": "RegisterTaskDefinition",
"awsRegion": "us-west-2",
"sourceIPAddress": "52.39.51.8",
"userAgent": "Boto3/1.15.7 Python/3.8.6 Linux/4.14.193-149.317.amzn2.x86_64 exec-env/AWS_ECS_EC2 Botocore/1.18.7",
"errorCode": "ClientException",
"errorMessage": "Fargate requires task definition to have execution role ARN to support ECR images.",
"requestParameters": null,
"responseElements": null,
"requestID": "29e54079-7894-4709-86c7-20961d1135e4",
"eventID": "42558309-7e3b-4990-8f8e-116e5e73b3ee",
"eventType": "AwsApiCall",
"recipientAccountId": "421805900968"
}
But I can't find any call to the RunTask API. It seems to me that during the registration phase of the task neither e execution role arn and task role arn are correctly registered in the flow defintion.
This is the registration scriptGiacomo Consonni
10/05/2020, 8:21 PMimport os
import prefect
from prefect import Flow
from prefect.environments.storage import Docker
from prefect.environments.execution import FargateTaskEnvironment
from slugify import slugify
ETL_FLOW_NAME = os.environ["ETL_FLOW_NAME"]
ETL_IMAGE_NAME = os.environ["ETL_IMAGE_NAME"]
ETL_IMAGE_TAG = os.environ["ETL_IMAGE_TAG"]
ETL_PROJECT_NAME = os.environ["ETL_PROJECT_NAME"]
ETL_TASK_ROLE_ARN = os.environ["ETL_TASK_ROLE_ARN"]
ETL_EXECUTION_ROLE_ARN = os.environ["ETL_EXECUTION_ROLE_ARN"]
storage = Docker(
image_name=ETL_IMAGE_NAME,
image_tag=ETL_IMAGE_TAG
)
environment = FargateTaskEnvironment(
cpu="256",
memory="512",
taskRoleArn=ETL_TASK_ROLE_ARN,
executionRoleArn=ETL_EXECUTION_ROLE_ARN,
)
def main():
flow = Flow.load(fpath=f"{prefect.context.config.home_dir}/flows/{slugify(ETL_FLOW_NAME)}.prefect")
flow.environment = environment
flow.storage = storage
storage.add_flow(flow=flow)
flow.register(
project_name=ETL_PROJECT_NAME,
build=False
)
if __name__ == '__main__':
main()
Spencer
10/05/2020, 8:22 PMGiacomo Consonni
10/05/2020, 8:22 PMGiacomo Consonni
10/05/2020, 8:24 PMGiacomo Consonni
10/05/2020, 8:25 PMSpencer
10/05/2020, 8:27 PMGiacomo Consonni
10/05/2020, 8:30 PMrAgentTaskDefinition:
Type: 'AWS::ECS::TaskDefinition'
Metadata:
cfn-lint:
config:
ignore_checks:
- E1029
Properties:
TaskRoleArn: !Ref 'rAgentTaskRole'
ExecutionRoleArn: !GetAtt 'rExecutionRole.Arn'
Family: !Sub '${pEnvironment}-prefect-agent'
ContainerDefinitions:
- Name: 'agent'
Essential: true
Command: ['prefect', 'agent', 'start', 'fargate', '--verbose', 'enable_task_revisions=true']
Image: !Sub
- 'prefecthq/prefect:${version}'
- version: !If [ cIsPrefectServerVersionLatest, 'all_extras', !Sub 'all_extras-${pPrefectServerVersion}' ]
MemoryReservation: 128
Environment:
- Name: PREFECT__CLOUD__API
Value: '<https://apollo-prefect-server.srv-stage.cloudacademy.xyz/graphql>'
- Name: PREFECT__BACKEND
Value: 'server'
- Name: REGION_NAME
Value: !Ref AWS::Region
- Name: executionRoleArn
Value: !GetAtt 'rExecutionRole.Arn'
- Name: networkConfiguration
Value: !Sub
- '{"awsvpcConfiguration": {"assignPublicIp": "ENABLED", "subnets": ["${subnets}"], "securityGroups": ["${securityGroups}"]}}'
- subnets: !Join ['","', !Ref pFargateSubnetIds]
securityGroups: !Join ['","', !Ref pFargateSecurityGroupIds]
- Name: cpu
Value: 256
- Name: memory
Value: 512
LogConfiguration:
LogDriver: 'awslogs'
Options:
awslogs-group: !Ref 'rAppLogsGroup'
awslogs-region: !Ref 'AWS::Region'
awslogs-stream-prefix: 'prefect-agent'
I added the executionRoleArn
environment variable with value the same of the execution role arn assumed by the agent task. Should I add also the taskRoleArn?Spencer
10/05/2020, 8:40 PMGiacomo Consonni
10/05/2020, 8:41 PMFargateTaskEnvironment
handle the 2 parameters: taskRoleArn
and executionRoleArn
but are they useless?Spencer
10/05/2020, 8:41 PMSpencer
10/05/2020, 8:42 PMSpencer
10/05/2020, 8:42 PMGiacomo Consonni
10/05/2020, 8:43 PMSpencer
10/05/2020, 8:43 PMSpencer
10/05/2020, 8:44 PMSpencer
10/05/2020, 8:44 PMecs:RegisterTaskDefinition
and ecs:RunTask
Spencer
10/05/2020, 8:45 PMSpencer
10/05/2020, 8:46 PMSpencer
10/05/2020, 8:47 PMGiacomo Consonni
10/05/2020, 8:50 PM