✅ thought for 383.3 seconds

Short answer: put an AwsCredentials block in your workspace, then reference it in the aws-push work pool’s base_job_template via a block ref. Assuming Prefect 3.x and the prefecthq/prefect Terraform provider: - Create (or reference) an AWS Credentials block (block type slug: aws-credentials). - In your prefect_work_pool resource (type = "aws-push"), set base_job_template so its aws_credentials field is a block reference to that block. Example: create the block and use it in an aws-push pool - Provider docs: - Work pool: https://registry.terraform.io/providers/PrefectHQ/prefect/latest/docs/resources/work_pool - Block document: https://registry.terraform.io/providers/PrefectHQ/prefect/latest/docs/resources/block_document Terraform resource "prefect_block_document" "aws_creds" { name = "my-aws-creds" block_type_slug = "aws-credentials" # Don’t hardcode secrets; use TF variables or a secrets manager data = jsonencode({ aws_access_key_id = var.aws_access_key_id aws_secret_access_key = var.aws_secret_access_key region_name = "us-east-1" # Optional: # aws_session_token = var.aws_session_token # profile_name = "my-aws-profile" }) } resource "prefect_work_pool" "aws_push" { name = "aws-push-pool" type = "aws-push" # The aws-push worker’s job variables support an aws_credentials ref base_job_template = jsonencode({ region_name = "us-east-1" cluster = "my-ecs-cluster" launch_type = "FARGATE" subnets = ["subnet-abc", "subnet-def"] security_groups = ["sg-123456"] assign_public_ip = true # Reference the AWS Credentials block created above aws_credentials = { "$ref" = { block_document_id = prefect_block_document.aws_creds.id # Alternatively, if you prefer to reference by name: # block_document_name = prefect_block_document.aws_creds.name } } }) } Notes - The aws-push worker’s schema supports an aws_credentials field that accepts a block reference. Using block_document_id is the safest; name works if it’s unique in the workspace. - Make sure the prefect-aws collection (which defines the AwsCredentials block type) is available in your Prefect environment; on Prefect Cloud it’s already registered. - Avoid committing plaintext AWS secrets in Terraform; use variables, TF Cloud variables, or a secret manager. If you already have an AWS Credentials block you want to reuse, let me know its name; I can show the minimal work_pool resource referencing it directly. Or, if your org relies on instance roles and doesn’t want static keys, you can create the block with only region_name and profile_name (or even omit the block and rely on the worker’s IAM role), though for push pools Prefect needs credentials server-side to call ECS.

Short answer: yes—two problems. - The work pool type: there is no aws-push. Use ecs:push. You can confirm with: prefect work-pool get-default-base-job-template --type ecs:push - base_job_template must be valid JSON for the ecs:push template. Using jsonencode(...) in Terraform is correct; just make sure the keys match the ecs:push schema and that your block reference is under aws_credentials. Corrected Terraform sketch resource "prefect_block_document" "aws_creds" { name = "my-aws-creds" block_type_slug = "aws-credentials" data = jsonencode({ aws_access_key_id = var.aws_access_key_id aws_secret_access_key = var.aws_secret_access_key region_name = "us-east-1" }) } resource "prefect_work_pool" "ecs_push" { name = "ecs-push-pool" type = "ecs:push" base_job_template = jsonencode({ aws_credentials = { "$ref" = { block_document_id = prefect_block_document.aws_creds.id } } region_name = "us-east-1" cluster = "my-ecs-cluster" launch_type = "FARGATE" subnets = ["subnet-abc", "subnet-def"] security_groups = ["sg-123456"] assign_public_ip = true }) } Tips - Grab the canonical JSON shape you need: prefect work-pool get-default-base-job-template --type ecs:push - Then splice in the aws_credentials $ref as shown above. Docs - Managing work pools: https://docs-3.prefect.io/v3/how-to-guides/deployment_infra/manage-work-pools If you paste your exact HCL, I can validate the structure against the current ecs:push template.

Yes. Two issues, actually. - Wrong pool type: use ecs:push, not aws-push. - The base_job_template must be a JSON object with BOTH top-level keys: job_configuration and variables. Your error shows only a partial job_configuration and no variables key. How to fix it 1) Start from the canonical template so you don’t guess the shape: prefect work-pool get-default-base-job-template --type ecs:push 2) In that JSON, keep job_configuration using the templated value "{{ aws_credentials }}". Put your block reference as the default for the aws_credentials variable under variables.properties. Minimal Terraform example (works with ecs:push) resource "prefect_block_document" "aws_creds" { name = "my-aws-creds" block_type_slug = "aws-credentials" data = jsonencode({ aws_access_key_id = var.aws_access_key_id aws_secret_access_key = var.aws_secret_access_key region_name = "us-east-1" }) } resource "prefect_work_pool" "ecs_push" { name = "ecs-push-pool" type = "ecs:push" # IMPORTANT: must contain "job_configuration" and "variables" base_job_template = jsonencode({ job_configuration = { # Keep the templated reference here aws_credentials = "{{ aws_credentials }}" # ...keep the rest of the defaults; you can paste the full output from the CLI: command = "{{ command }}" env = "{{ env }}" labels = "{{ labels }}" name = "{{ name }}" task_definition = { containerDefinitions = [ { image = "{{ image }}", name = "{{ container_name }}" } ] cpu = "{{ cpu }}" family = "{{ family }}" memory = "{{ memory }}" executionRoleArn = "{{ execution_role_arn }}" } task_run_request = { launchType = "{{ launch_type }}" cluster = "{{ cluster }}" overrides = { containerOverrides = [{ name = "{{ container_name }}" command = "{{ command }}" environment= "{{ env }}" cpu = "{{ cpu }}" memory = "{{ memory }}" }] cpu = "{{ cpu }}" memory = "{{ memory }}" taskRoleArn= "{{ task_role_arn }}" } tags = "{{ labels }}" taskDefinition = "{{ task_definition_arn }}" } network_configuration = "{{ network_configuration }}" configure_cloudwatch_logs = "{{ configure_cloudwatch_logs }}" cloudwatch_logs_options = "{{ cloudwatch_logs_options }}" task_start_timeout_seconds = "{{ task_start_timeout_seconds }}" auto_deregister_task_definition = "{{ auto_deregister_task_definition }}" vpc_id = "{{ vpc_id }}" container_name = "{{ container_name }}" cluster = "{{ cluster }}" }, variables = { description = "Variables for templating an ECS job." type = "object" required = ["aws_credentials"] properties = { # Attach your AWS Credentials block here as the default aws_credentials = { title = "AWS Credentials" type = "object" default = { "$ref" = { block_document_id = prefect_block_document.aws_creds.id } } } # You can also set sane defaults for other variables if you like: cluster = { title = "Cluster", type = "string", default = "my-ecs-cluster" } container_name = { title = "Container Name", type = "string", default = "prefect-job" } launch_type = { title = "Launch Type", type = "string", default = "FARGATE" } network_configuration = { title = "Network config" type = "object" default = { awsvpcConfiguration = {

subnets = ["subnet-abc", "subnet-def"] securityGroups = ["sg-123456"] assignPublicIp = "ENABLED" } } } } } }) } Why this works - Prefect validates that base_job_template has job_configuration and variables. The job_configuration uses templated values, and variables defines their schema and defaults. Putting the block ref into variables.properties.aws_credentials.default is the supported way to bind your AwsCredentials block. Helpful links - Work pool resource: https://registry.terraform.io/providers/PrefectHQ/prefect/latest/docs/resources/work_pool - Block document resource: https://registry.terraform.io/providers/PrefectHQ/prefect/latest/docs/resources/block_document - Manage work pools: https://docs-3.prefect.io/v3/how-to-guides/deployment_infra/manage-work-pools If you paste your current base_job_template JSON, I’ll point out exactly what to move where. I promise only a modest amount of existential dread.