ecs
typed work pool are executed as ECS tasks. Only Prefect ECS workers can poll an ecs
typed work pool.
When the ECS worker receives a scheduled flow run from the ECS work pool it is polling, it spins up the specified infrastructure on AWS ECS. The worker knows to build an ECS task definition for each flow run based on the configuration specified in the work pool.
Once the flow run completes, the ECS containers of the cluster are spun down to a single container that continues to run the Prefect worker. This worker continues polling for work from the Prefect work pool.
If you specify a task definition ARN (Amazon Resource Name) in the work pool, the worker will use that ARN when spinning up the ECS Task, rather than creating a task definition from the fields supplied in the work pool configuration.
You can use either EC2 or Fargate as the capacity provider. Fargate simplifies initiation, but lengthens infrastructure setup time for each flow run. Using EC2 for the ECS cluster can reduce setup time. In this example, we will show how to use Fargate.
What if I don't have an ECS cluster?
my-ecs-pool
:PREFECT_API_KEY
) or Basic Auth string (PREFECT_API_AUTH_STRING
) to the Prefect API. As a security best practice, we recommend you store your Prefect API key in AWS Secrets Manager or Systems Manager Parameter Store.
Find your secret
Prefect Cloud - Paid Plans
Prefect Cloud - Free Plans
Self-hosted Prefect server
PREFECT_API_KEY
in a self-hosted Prefect server.Instead, you use the PREFECT_API_AUTH_STRING
containing your basic auth credentials (if your server uses basic authentication).You can find this information on the Settings page for your Prefect server.Create a secret
aws secretsmanager create-secret
command:ecsTaskExecutionRole
: This role will be used by ECS to start ECS tasks.ecsTaskRole
: This role will contain the permissions required by Prefect ECS worker in order to run your flows as ECS tasks.trust-policy.json
:
Create the role
aws iam create-role
command:Create the Secret Policy
secret-policy.json
:Using a customer-managed key (CMK)?
kms:Decrypt
permission to the policy. For example:Register the policy
ecsTaskExecutionPolicy
using the policy document you just created.Attach the Policies
AmazonECSTaskExecutionRolePolicy
managed policy grants the minimum permissions necessary for starting ECS tasks. See here for other common execution role permissions.Attach this policy to your task execution role using the aws iam attach-role-policy
:Create the role
Create the task policy
worker-policy.json
:Register the policy
ecsTaskPolicy
using the policy document you just created.Attach policy to the role
ecsTaskPolicy
to the ecsTaskRole
so that the Prefect worker can dispatch flows to ECS:<your-account-id>
with your AWS account ID.Create flow run IAM role
Create the role
Create the task policy
prefect-demo-bucket
. Save this policy to a file, such as runner-task-policy.json
:Register the policy
PrefectECSRunnerTaskPolicy
using the policy document you just created:Attach policy to the role
PrefectECSRunnerTaskPolicy
IAM policy to the PrefectECSRunnerTaskRole
IAM role:<your-account-id>
with your AWS account ID.Add Task Role ARN to the work pool
PrefectECSRunnerTaskRole
to your ECS work pool.This can be configured two ways:task_role_arn
job variable in the deployment configuration.Create the task definition
<ecs-task-execution-role-arn>
with the ARN of the ecsTaskExecutionRole
you created in Step 2.Finding your ECS Task Execution Role ARN
ecsTaskExecutionRole
using the following command:<ecs-task-role-arn>
with the ARN of the ecsTaskRole
you created in Step 2.Finding your ECS Task Role ARN
ecsTaskRole
using the following command:<prefect-api-url>
with the URL of your Prefect Server.Finding your PREFECT_API_URL
Using the CLI
For Prefect Cloud
<aws-arn-of-secret>
with the ARN of the resource from Secrets Manager or Systems Manager Parameter Store.Finding your Secret ARN
Secrets Manager
Systems Manager Parameter Store
Self-hosted Prefect server
PREFECT_API_KEY
is not used with a self-hosted Prefect server, you will need to replace the PREFECT_API_KEY
environment variable in the task definition secrets with PREFECT_API_AUTH_STRING
.task-definition.json
:Register task definition
register-task-definition
command:task-definition.json
with the name of your task definition file.Create the ECS service
<ecs-cluster>
with the name of your ECS cluster.<task-definition-arn>
with the ARN of the task definition you just registered.<subnet-ids>
with a comma-separated list of your VPC subnet IDs.<security-group-ids>
with a comma-separated list of your VPC security group IDs.Get default VPC info
vpc-abcdef01
) of the default VPC, which you can use in the next steps in this section.To find the subnets associated with the default VPC:subnet-12345678 subnet-23456789
).Finally, we will need the security group ID for the default VPC:sg-12345678
) of the default security group.Copy the subnet IDs and security group ID for use in Step 3.aws ecs create-service
command to create an ECS service running on Fargate for the Prefect worker:Verify the Prefect worker is running
Write a simple test flow
Create an ECR repository
aws ecr create-repository
command to create an ECR repository. The name you choose for your repository will be reused in the next step when defining your Prefect deployment.Create a `prefect.yaml` file
prefect.yaml
file with the following specification:Deploy the flow
Run!
PREFECT_API_URL
and PREFECT_API_KEY
environment variables are set correctly in the task definition.PREFECT_API_KEY
from the example with PREFECT_API_AUTH_STRING
in the task definition.CPU
?Launch Type
speed up your flow run execution?