Channels
#prefect-community
Title
# prefect-community
d
Darragh
07/14/2020, 8:27 AMHey guys, does anyone have any experience using the FargateTaskEnvironment? Specifically the aws_sesison_token, having problems getting AWs to accept it, I keep getting the following error:
Failed to load and execute Flow's environment: ClientError('An error occurred (UnrecognizedClientException) when calling the RegisterTaskDefinition operation: The security token included in the request is invalid') Copy code
flow.environment = FargateTaskEnvironment(
launch_type="FARGATE",
region="us-east-1",
aws_session_token="FwoGZXIvYXdzEOL//////////wEaDFSgRMmr3M07yXJ3gCKCAdZO6f/LRZc6b7DjDip0lrTvCa+FDQpFAGJEyB6Ka1tF9By3fTgKkbqSM6EnuHQgTEviQJrOn13E7wlvKKVV1++YGaa3gb1Pn9q12BxCN7I6SvQ8oBW9AE73Judo0tuYTdTc5eYC7m2PaYU/d5fkRIj29EJWp9EpO3+yq/S1saxiGvYosKGy+AUyKBOOerH4ymGN9lxo/5aprU5DXumyaC6yg2satDNNoUdPaSBQ2R8fNq0=",
cpu="256",
memory="512",
enable_task_revisions="True",
....
....
)z
Zachary Hughes
07/14/2020, 1:07 PMHi @Darragh, are you able to use the session token to create a task definition manually? Trying to drill down into whether the issue is on the token/AWS IAM side or the Prefect side.
d
Darragh
07/14/2020, 1:47 PMHey @Zachary Hughes Couple of interesting points on that:
• Creating a manual task definition doesn’t seem to require a session token at all
• When I create a TaskDefinition using the 2 images I’m trying to build into my Prefect Flow and run it manually they both run
• The TaskDefinition created by Prefect apparently can’t use the Fargate launch type? Screenshot below.
FargateTakEnvironment code
z
Zachary Hughes
07/14/2020, 2:22 PMWhen you say that creating a task definition doesn't seem to require a session token, is there any chance your local environment is falling back on stored AWS credentials or local config?
d
Darragh
07/14/2020, 2:42 PMCreating a TaskDefintion, manually in AWS console, doesn’t require a session token, so it shouldn’t be anything to do with the local env…
The Prefect docs seem to suggest the session token is needed but I’m not seeing why?
z
Zachary Hughes
07/14/2020, 3:09 PMAh, okay. I presumed that since AWS probably handles most of the IAM when interacting through the console, you were working using boto3.
From my understanding, you might not need the session token. The environment accepts all forms of auth that boto3 does, and session tokens are generally used for temporary access. I'd recommend giving this a shot without the aws_session_token and seeing how it behaves.
d
Darragh
07/14/2020, 4:32 PMYeah I tried that previously @Zachary Hughes, this is what I got:
Failed to load and execute Flow's environment: ParamValidationError('Parameter validation failed:\nMissing required parameter in input: "taskDefinition"')z
Zachary Hughes
07/14/2020, 5:04 PMOkay, gotcha. Just wrapped up reading through the previous thread about this, so hopefully I've got a bit more context to help with now. How are you creating this token? The fact that it's saying the token is invalid rather than malformed makes me think it might be expired.
Alternatively, I'd expect to be able to provide something other than an
aws_session_tokend
Darragh
07/14/2020, 5:08 PMIt sholdn’t have been expired, as I created manually just before testing, but always possible.
Could you confirm whether or not the
aws_session_tokenz
Zachary Hughes
07/14/2020, 5:10 PMChecking the documentation and the code itself, I don't think it should be required. So if just removing that value throws the error you posted, I think it's definitely unintentional.
d
Darragh
07/14/2020, 5:21 PMOk thanks - so with that last error above,
Missing required parameterz
Zachary Hughes
07/14/2020, 5:21 PMI'm not sure if this is the culprit or tangential, but it looks like you're not passing a
taskDefinitiontaskDefinitionfamilyLooks like
Missing required parameterIs this error being raised by the agent? If so, we pull the
familytask_definition_nametaskDefinitiond
Darragh
07/14/2020, 5:41 PMIt’s being raised in the UI as the Flow status, so my guess is the agent.
Testing the taskDefinition change now, good catch 👍
👍 1
Well this is a new and very unwelcome development…
Failed to load and execute Flow's environment: InvalidParameterException('An error occurred (InvalidParameterException) when calling the RunTask operation: Task definition does not support launch_type FARGATE.')z
Zachary Hughes
07/14/2020, 6:55 PMThat's definitely unanticipated. I think the answer is probably "yes," but the default value for
launch_typelaunch_typeIt's also super unlikely, but what version of the AWS CLI are you running? If it's out of date, that could explain the inability to accept FARGATE as a launch type.
d
Darragh
07/14/2020, 7:03 PMI was on 1.16, upgrading now to test…
Leaving the launch type out of the config didn’t make any difference
👍 1
Upgrade didn’t solve it either, still the same error
z
Zachary Hughes
07/14/2020, 7:53 PMDoing some digging here-- not 100% sure what could be happening on the AWS end to prompt this error.
A lot of the
Task definition does not support launch_type FARGATErequiresCompatibilitieslaunch_typerequiresCompatibilitiesd
Darragh
07/14/2020, 8:04 PMIs requireCompatabilties on the agent or the Flow environment, or both?
z
Zachary Hughes
07/14/2020, 8:07 PMIt's on both. As long as you haven't overriden the agent's
launch_typerequiresCompatibilitiesd
Darragh
07/14/2020, 8:10 PMlaunch_type is FARGATE on the agent, so should I change?
Still same error either way
z
Zachary Hughes
07/14/2020, 8:25 PMNope, your agent sounds good-- you'd want to update that field on the environment. But you're still seeing this even with the environment's
requiresCompatibilitiesd
Darragh
07/14/2020, 9:46 PMYeah just double checked there, still the same error with
requiresCompatibilitiesz
Zachary Hughes
07/14/2020, 10:19 PMThat is very, very strange. If you're able to, I'd try putting some breakpoints or print statements around this line to see what's going on on the agent side of this:
https://github.com/PrefectHQ/prefect/blob/master/src/prefect/agent/fargate/agent.py#L670-L675
and this line if you're interested in the environment side of this:
https://github.com/PrefectHQ/prefect/blob/master/src/prefect/environments/execution/fargate/fargate_task.py#L271
Barring that, it would be useful to see if you can recreate this issue using pure boto3. The issue appears to be on the AWS side, but it doesn't appear to be raising a particularly informative error.
d
Darragh
07/14/2020, 10:54 PMPrint statements I can do, but breakpoints on an agent running on ec2 could be tricky 😁
With respect to trying with ours boto - I'm not sure what would prove, from a user perspective? I've tried doing a manual task definition with 2 containers ( which is all I'm trying to prove right now) and that works on Fargate, but not with when i define it as prefect Fargate task ...
I'll try the print statements tomorrow as it's hitting midnight now. Thanks for all the help @Zachary Hughes!!
So, new and interesting things to report @Zachary Hughes! Question the first though, cos I may have made a massively stupid assumption.
I I’m using FargateTaskEnvironment, what agent should I be using?
z
Zachary Hughes
07/15/2020, 4:34 PMI'd anticipate you using a Fargate agent!
d
Darragh
07/15/2020, 4:39 PMAnd you would be correct! HOWEVER. Strange and interesting things happen , due to what’s possibly a dodgy config on my part. I had a containerDefintions section in my agent config, and when I added logging to the lines you pointed out above, I got the following back:
Untitled
The resposne from
boto3.register_task_definitionBut to make it extra painful, when I remove the containerDefinitions section from my agent, I now don’t get the debug response output from my agent at all. I’m wondering is there some funky combination of configs between my agent and the environment thats causing the problem…?
And the output from the
run_taskUntitled
Neither of those json chunks show any hint of the 2nd container defined in my flow
z
Zachary Hughes
07/15/2020, 5:14 PMYou mentioned that when you remove
containerDefinitionsd
Darragh
07/15/2020, 5:40 PMYeah still the same error,
Task definition does not support launch_type FARGATE.')z
Zachary Hughes
07/15/2020, 6:58 PMI think the interaction between the agent's configuration and the environment's configuration could explain why you're not seeing the second container defined in your flow, but it still doesn't explain the
Task definition does not support launch_type FARGATErequiresCompatibilitiesStop me if you've already tried this, but can you create and run any Fargate tasks on your cluster?
d
Darragh
07/15/2020, 7:22 PMYeah it’s odd. I’ve no issues creating other Fargate tasks , in fact I can scale out a bunch of parallell cloned flows on up to 100 nodes, but that’s using the
FargateAgentLocalEnvironment(executor=LocalExecutor())I’ll try ping it off AWS support, see if they can dig into where the request is going wrong. Their internal diagnostics tend to be pretty good, so I’ve got the fingers crossed 🙂
z
Zachary Hughes
07/15/2020, 7:37 PMYeah. Sorry I can't be of more assistance, but the config you're providing to boto3 looks like it should work.
g
Greg Desmarais
07/20/2020, 5:03 PMHey @Darragh - did you ever get your config working? Would you be willing to share the client side (executir/environment, etc.) and agent setup? I was also wondering if you were working with an existing cluster or setting one up dynamically. And if the former, are you in the default cluster or a different one?
tia...
d
Darragh
07/20/2020, 5:58 PMHey @Greg Desmarais haven't gotten a resolution on it yet, I need to push it to AWS support this evening and see if they can shed any light. If I get anyhting back I'll post it and share!
Hey @Zachary Hughes Back on this again. I’ve added logging output for all of the args that get passed to the boto3 client, and it doesn’t look like the containers I configure in my FargateTaskExecution are being passed along. Here’s a whole chonk of output that might be useful to you… I’m holding off passing to AWS Support until we know definitively if the issue is on me/us or them
fargate agent output
I can’t see any mention of the 2 containers in there anywhere, despite being named in the flow…
FargateTaskExecution
z
Zachary Hughes
07/20/2020, 8:55 PMHmm, that's a bit odd. Is this still failing with the error about Fargate not being supported? I notice that
requiresCompatibilitiesd
Darragh
07/20/2020, 9:49 PMYeah sane error
z
Zachary Hughes
07/20/2020, 9:52 PMHm. Given what I've read about that error, that feels like something wonky on the AWS side to me. I'm not 100% sure about the rest of it, but I'm fairly certain your code shouldn't be failing in that particular manner.
g
Greg Desmarais
07/21/2020, 4:11 AMThanks for getting back, @Darragh. I've gotten close, but it is with a log of debugging of the agent and trial and error of parameter names. At this point, I have moved on to working towards a different approach to clustering (with prefect).
d
Darragh
07/21/2020, 9:13 PMQuick update guys, no answer back from AWS yet, but I did notice something I should’ve spotted before. My Flow configuration uses FartgateTaskEnvironment, and adds 2 containers in
containerDefinitionstaskDefinitiontaskDefinitionmy-flowmy-flowparallell-collectormy-flowz
Zachary Hughes
07/22/2020, 3:31 PMHi Darragh, apologies for the delay in response. To be honest, I'm not sure what your task definitions should look like. If you're up for inspecting your Prefect environment, you can try something along the lines of
Copy code
flow.environment = FargateTaskEnvironment(...)
flow.environment.setup(flow)
flow.environment.execute(flow)d
Darragh
07/22/2020, 8:48 PM@Zachary Hughes Wow, instant fail came back out of that one!! Using your suggestion I got the following:
Traceback (most recent call last):File "flowRunner.py", line 44, in <module>python_dependencies=args.python_dependencies, execution=args.execution)File "./definitions/data/parallell/collector/parallellCollector.py", line 109, in mainflow.environment.execute(flow)File "/Users/Darragh/.pyenv/versions/3.6.10/lib/python3.6/site-packages/prefect/environments/execution/fargate/fargate_task.py", line 309, in execute**self.task_run_kwargs,File "/Users/Darragh/.pyenv/versions/3.6.10/lib/python3.6/site-packages/botocore/client.py", line 316, in _api_callreturn self._make_api_call(operation_name, kwargs)File "/Users/Darragh/.pyenv/versions/3.6.10/lib/python3.6/site-packages/botocore/client.py", line 635, in _make_api_callraise error_class(parsed_response, operation_name)botocore.errorfactory.InvalidParameterException: An error occurred (InvalidParameterException) when calling the RunTask operation: Task definition does not support launch_type FARGATE.Hey @Zachary Hughes I know I keep bugging you about this stuff, is there anyone in the group who’s an expert on the FargateTaskEnvironment? Might be able to get me sorted and stop me annoying you with questions 🙂
g
Greg Desmarais
07/23/2020, 5:42 PMHey @Darragh - I ended up bailing on the Fargate approach. I found too many issues that I had to battle, and in the end we will want to do some things with our images that the ec2 instances use in the cluster (mounting nfs/efs, etc.). I'm sorry - I got close, but failed, and bailed.
d
Darragh
07/23/2020, 5:47 PMHey @Greg Desmarais Yeah I’m close to that point too, it’s causing me all kinds of pain. I’d still like to make it work as it satisfies our use case better, but if it comes to it then the bail is the only way
z
Zachary Hughes
07/23/2020, 5:58 PMHi @Darragh, absolutely not bugging! I've been pinging some of these questions off the team, so there's a bit of collective Fargate knowledge being surfaced here. That said, with this
Task definition does not support launch_typeg
Greg Desmarais
07/23/2020, 6:03 PMOk @Darragh - let me give more than a cursory look at the error...
Where is your prefect server and agent running?
I ask because including aws creds implies that the process creating the cluster is not operating with an assumed role./
I had ended up putting my server infrastructure on an ec2 with an assigned role, that role had the policies needed to create clusters (I just went with ECS full). That way I avoided the authorization/token/etc. work all together.
I did have some intermediate work where I had to use an identity (creds/token), and I used code like this:
Copy code
def get_aws_credentials() -> tuple:
"""
Retrieve the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY and return as a tuple
:return: tuple of AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
"""
home = os.path.expanduser("~")
creds_path = os.path.join(home, '.aws/credentials')
if not os.path.isfile(creds_path):
raise ValueError(f'You must have a configured ~/.aws/credentials file - see '
f'<https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html>')
config = configparser.ConfigParser()
try:
config.read(creds_path)
except Exception as ex:
logger.warning(f'Unable to read {creds_path}, are permissions correct?')
raise ex
return config['default'].get('aws_access_key_id'), config['default'].get('aws_secret_access_key')
def set_aws_credentials_env():
key_id, key = get_aws_credentials()
os.environ['AWS_ACCESS_KEY_ID'] = key_id
os.environ['AWS_SECRET_ACCESS_KEY'] = key
os.environ['REGION_NAME'] = DEFAULT_REGIONLastly, I have my server startup scripts that query the amazon environment for some settings, and in those queries I get an API token. I don't know if that is of any use to you:
Copy code
TOKEN=`curl -s -X PUT "<http://169.254.169.254/latest/api/token>" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"`
EC2_IP=`curl -s -H "X-aws-ec2-metadata-token: $TOKEN" <http://169.254.169.254/latest/meta-data/local-ipv4>`d
Darragh
07/23/2020, 6:49 PMHey Greg, thanks for that! I think our issues were slightly different. I don’t need to create a session token [so far anyway…] the problem is more that there’s some sort of config mismatch between my agent and environment, but there doesn’t seem to be any useful debug I can pull to see what’s happening… That being said, Zach’s last pointer enabled me to get the same error building the flow locally as I do on fargate.
Unfortunately none of these things are explaining to me why my flow is creating 2 task definitions rather than the 1 I requested 🙂
g
Greg Desmarais
07/23/2020, 6:55 PMWell...sorry it wasn't of much use 🤷
d
Darragh
07/23/2020, 6:57 PMThanks @Zachary Hughes I think at this point what I really need is a working example from the Prefect side of how the fargate agent and environment are supposed to work and what pieces of the seemingly common config need to be passed to each one. If I could get that then I’d be able to piece together what’s going on with my one.
Aside from the
launch_type FARGATE@Greg Desmarais No that was definitely helpful , I may well end up following you down that same route 🙂
I’m debugging my way through the boto client code at the moment, and somewhere along the way it’s being told to use
launchType=FARGATE@Zachary Hughes I found the problem. launchType is hardcoded in the FargateTask.
Copy code
def __init__( # type: ignore
self,
launch_type: str = "FARGATE",
aws_access_key_id: str = None,
aws_secret_access_key: str = None,
aws_session_token: str = None,
region_name: str = None,
executor: "prefect.engine.executors.Executor" = None,
executor_kwargs: dict = None,
labels: List[str] = None,
on_start: Callable = None,
on_exit: Callable = None,
metadata: dict = None,
**kwargs,
) -> None:
self.launch_type = launch_type
# Not serialized, only stored on the object
self.aws_access_key_id = aws_access_key_id or os.getenv("AWS_ACCESS_KEY_ID")
self.aws_secret_access_key = aws_secret_access_key or os.getenv(
"AWS_SECRET_ACCESS_KEY"
)
self.aws_session_token = aws_session_token or os.getenv("AWS_SESSION_TOKEN")
self.region_name = region_name or os.getenv("REGION_NAME")z
Zachary Hughes
07/23/2020, 7:20 PMOkay, got it. Apologies if I'm missing something, but wouldn't you still want Fargate as the launch type regardless?
d
Darragh
07/23/2020, 7:22 PMI do, but the problem I’ve been having is that amazon is continually responding with the launch_type error. Removing it from the code might at least let me progress past this issue and see what other problems might be in the config
z
Zachary Hughes
07/23/2020, 7:34 PMOkay, solid! Since the Fargate Task Environment was designed to have that value hardcoded, I can't guarantee how it'll behave with it removed. But if you want to fork/branch Prefect and see how it operates with that removed, I'd be curious to hear the results.