Prefect: Users of ECR and the Fargate Agent unable to use AWS Docker auth
Description
Continuing to work on the branch @joshmeek did in https://github.com/PrefectHQ/prefect/pull/2877 (same diagnostics as https://github.com/PrefectHQ/prefect/issues/2875), I came across an invalidation error for not providing Fargate Agent with a repositoryCredentials (with a credentialsParameter).
Missing required parameter in containerDefinitions[0].repositoryCredentials: "credentialsParameter"
Expected Behavior
Despite what the boto3 docs say, I believe this shouldn't be a required field to run. One can see it's not required in the main API (also here).
Because users of ECR should not use credentials like these, auth is handled automatically as long as the task execution role is allowed to use the ECR repo. Amazon covers this in a warning here: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html (If your task definition references an image stored in Amazon ECR, this topic does not apply). The auth I mention is covered here.
I tested just altering your fargate/agent.py to remove all settings of repositoryCredentials, dropping the below lines:
- https://github.com/PrefectHQ/prefect/blob/master/src/prefect/agent/fargate/agent.py#L343
- https://github.com/PrefectHQ/prefect/blob/master/src/prefect/agent/fargate/agent.py#L642-L644
And the error went away, proceeding to do the boto call [without errors].
n-batalha
All 2 comments
Thanks for the bug report @n-batalha I'll update the container defs to fix this behavior!
joshmeek
on 29 Jun 2020
@joshmeek thanks for the quick turnaround in these issues!
n-batalha
on 29 Jun 2020
Related issues
jameslamb
路
3Comments
emcake
路
3Comments
gryBox
路
3Comments
joshmeek
路
4Comments
WilliamBurdett
路
3Comments