Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

allow define only aws region name through AwsCredentials #350

Closed
1 task
sergioshev opened this issue Dec 5, 2023 · 1 comment
Closed
1 task

allow define only aws region name through AwsCredentials #350

sergioshev opened this issue Dec 5, 2023 · 1 comment

Comments

@sergioshev
Copy link

Expectation / Proposal

Would be very helpful to be able define only the region name via AwsCredentials config, preserving the rest of the authentication data.

Traceback / Example

We run in the issue when ECS worker is not being able to deploy an ESC task into private subnet only.
Scenario:

  1. ESC Wroker is running within a docker instance in ECS cluster with and IAM executor role will all permissions set.
  2. No special authentication data was defined since we relay on the IAM role
  3. ECS worker has the authentication with prefect cloud correct and working
  4. We have pull based work pool setup.
  5. We define a custom networks with explicit definition of private subnets for ESC taks for server-less flow execution
  6. AWS has no default VPCs

If we do not specify any subnets for ECS task, all is going correctly, the task is placed on any available subnet from the VPC, and completes successfully. The problem comes when we define a custom network configuration and explicitly request to place the task in a private subnet. And we get the following error:

Subnets ['subnet-XXX', 'subnet-YYY'] not found within VPC with ID vpc-IDIDID.Please check that VPC is associated with supplied subnets

The subnets/VPC are correct, subnets are associated with the VPC. The error message comes from github.dev/PrefectHQ/prefect-aws/blob/6865af76b7f0a0555eefc63fce41721fcf827407/prefect_aws/workers/ecs_worker.py#L1382.

Seems like the ECS Worker tries to validate custom network configuration against the VPC subnets, and fails.
I suspect the problem might come from the fact that the VPC is not a default one and we need to specify the aws-region. If I request the subnets via aws-cli and query in the same way prefect does, without specifying the region the list is empty. Providing the region the list is correct. Would be nice to to have a way to "force"/"configure" prefect to use a particular region only.

I tried it via aws-credentials defining only the region and I get:

Client error '422 Unprocessable Entity' for url 

'https://api.prefect.cloud/api/accounts/ACCOUT_ID/workspaces/WORKSPACE/work_pools/ 
Response: {'exception_message': 'Invalid request received.', 'exception_detail': [{'loc': ['body', 'base_job_template'], 'msg': "Validation failed for field 'aws_credentials.aws_access_key_id'. Failure reason: None is not of type 'string'", 'type': 'value_error'}]

Creating an env var AWS_DEFAULT_REGION in the container seems to not have any effect.
I'm unable to confirm if it is really being used. As far as I can see https://github.com/PrefectHQ/prefect-aws/blob/main/prefect_aws/credentials.py#L99 boto3 session is instantiated and it takes precedence over env vars or ~/.aws/config as per boto3 docs https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials
@sergioshev
Copy link
Author

Closing this issue it was related to bug already solved #321

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sergioshev