https://prefect.io logo
Join Slack
Powered by
<@ULVA73B9P> getting this error in prefect docker ...
# ask-marvin
m
@Marvin getting this error in prefect docker worker botocore.exceptions.NoCredentialsError: Unable to locate credentials worker is unable to find credentials , what to do
m
thought for 395.1 seconds
That error is coming from boto3/botocore inside your flow’s Docker container — it can’t find any AWS credentials. With a Prefect Docker work pool, you need to make creds available to the flow-run container. You’ve got a few good options: 1) Use the EC2 instance profile (recommended) - Attach an IAM role to the EC2 instance with the permissions your flows need. - Ensure containers can reach the EC2 metadata service (IMDS) at 169.254.169.254 and that 
AWS_EC2_METADATA_DISABLED
is not set to true. - If you still have trouble, set the Docker job variable 
network_mode: host
so the container shares the host network (often not necessary, but helpful for debugging IMDS). - Quick test from a container on the host:
Copy code
docker run --rm curlimages/curl -sS <http://169.254.169.254/latest/meta-data/iam/security-credentials/>
If that returns a role name, IMDS is reachable. 2) Pass AWS env vars to the flow container - Set AWS environment variables via your work pool or per-deployment job variables: - 
AWS_ACCESS_KEY_ID
- 
AWS_SECRET_ACCESS_KEY
- 
AWS_SESSION_TOKEN
(if using temporary creds) - 
AWS_REGION
or 
AWS_DEFAULT_REGION
(for you: 
ap-southeast-1
) - Example per-deployment using `Flow.deploy`:
Copy code
from prefect import flow

  @flow
  def my_flow():
      ...

  if __name__ == "__main__":
      my_flow.deploy(
          name="my-deploy",
          work_pool_name="docker-pool",
          job_variables={
              "env": {
                  "AWS_REGION": "ap-southeast-1",
                  # Only if using static keys:
                  # "AWS_ACCESS_KEY_ID": "...",
                  # "AWS_SECRET_ACCESS_KEY": "...",
                  # "AWS_SESSION_TOKEN": "...",
              }
          },
      )
- Or via prefect.yaml (used by 
prefect deploy
):
Copy code
deployments:
    - name: my-deploy
      entrypoint: flows/my_flow.py:my_flow
      work_pool:
        name: docker-pool
        job_variables:
          env:
            AWS_REGION: ap-southeast-1
3) Mount your ~/.aws into the container and set a profile - Mount the host credentials/config and set `AWS_PROFILE`:
Copy code
# job variables for a Docker work pool/deployment
  {
    "env": {
      "AWS_PROFILE": "dev",
      "AWS_REGION": "ap-southeast-1"
    },
    "volumes": [
      "/home/ubuntu/.aws:/root/.aws:ro"
    ]
  }
- This works well on a single EC2 host running dev/stage/prod: create three Docker work pools (e.g., dev/stage/prod), mount the same 
~/.aws
folder, and set 
AWS_PROFILE
differently per pool. Where to set job variables - Pool-wide (affects all deployments on the pool): in the Prefect UI, go to Work Pools > your Docker pool > Variables, and set 
env
and 
volumes
. - Per deployment: pass 
job_variables
in 
Flow.deploy(...)
or in 
prefect.yaml
under the deployment’s 
work_pool.job_variables
. Docs for reference: - Customize job variables: Customize job variables (Prefect 3) - Work pools CLI: Work Pools CLI (Prefect 3) A couple of quick checks: - Are you trying to rely on the EC2 instance role, or do you prefer static keys/profile-based auth? - If you’re pulling images from ECR, you’ll also need to configure registry auth (different from runtime AWS creds). Happy to help set that up too. Given your setup (single EC2 in ap-southeast-1, one host for all envs), a clean pattern is: - Create three Docker work pools: dev, stage, prod. - Mount 
/home/ubuntu/.aws:/root/.aws:ro
on each pool. - Set 
AWS_PROFILE
and 
AWS_REGION=ap-southeast-1
per pool. - Keep secrets in 
~/.aws
and not in code.
Open in Slack
PreviousNext
Powered by