https://prefect.io logo
Title
a

Ashley Felber

11/11/2022, 2:41 PM
Hello, do you have any documentation on the AWS permissions required to 1) use s3 storage block 2) run flows using an ECStask infrastructure block?
t

Tobias

11/11/2022, 2:46 PM
Hi Ashley. It might help you to have a look at this template. Especially the .yml files in
/infrastructure
as they outline the correct persmission structure.
a

Ashley Felber

11/11/2022, 3:50 PM
Thanks, i'm not quite clear on how to use for correct permissions, can you provide a bit more detail?
c

Christopher Boyd

11/11/2022, 4:45 PM
Hi Ashley, what do you mean for AWS permissions? you should be configuring your block with your credentials for a specific user
retrieveItem, and putItem in particular would be necessary to interact with the bucket
a

Ashley Felber

11/11/2022, 4:47 PM
Yes I am going to create a user and use those credentials when configuring the blocks. But I want to understand the permissions the user must have. So for s3 it sounds like retrieveItem and putItem are necessary? Is that all? What about for ECStask?
c

Christopher Boyd

11/11/2022, 4:53 PM
Do you already have an existing service role for your ECS environment, or is this a new setup? Prefect would be using ideally a pre-existing service account used to provision this already
It’s not creating new infrastructure, it’s leveraging existing infrastructure
These should be helpful in the roles, as functionally Prefect is doing exactly what a user would need to do to create a task execution: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using-service-linked-roles.html https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html
a

Ashley Felber

11/11/2022, 8:06 PM
It's not a new set up. We have Fargate tasks running already and the roles set up. I passed along the links for the roles and they said "the service-linked roles and task execution roles are more about the permissions that the containers themselves need to have." So again, that's all set up. We're trying to create a new user, whose credentials can be used in the ECStask and s3 blocks, that has the minimum permissions required. Our Eng team asked me to find our the specific permission required for that user. My understanding of AWS permissions is not great so apologies if i'm not following or asking the question correctly.