Run flows on serverless compute

Install the AWS CLI, authenticate with your AWS account, and set a default region.

If you already have the AWS CLI installed, be sure to update to the latest version.

You will need the following permissions in your authenticated AWS account:

IAM Permissions:

• iam:CreatePolicy
• iam:GetPolicy
• iam:ListPolicies
• iam:CreateUser
• iam:GetUser
• iam:AttachUserPolicy
• iam:CreateRole
• iam:GetRole
• iam:AttachRolePolicy
• iam:ListRoles
• iam:PassRole

Amazon ECS Permissions:

• ecs:CreateCluster
• ecs:DescribeClusters

Amazon EC2 Permissions:

• ec2:CreateVpc
• ec2:DescribeVpcs
• ec2:CreateInternetGateway
• ec2:AttachInternetGateway
• ec2:CreateRouteTable
• ec2:CreateRoute
• ec2:CreateSecurityGroup
• ec2:DescribeSubnets
• ec2:CreateSubnet
• ec2:DescribeAvailabilityZones
• ec2:AuthorizeSecurityGroupIngress
• ec2:AuthorizeSecurityGroupEgress

Amazon ECR Permissions:

• ecr:CreateRepository
• ecr:DescribeRepositories
• ecr:GetAuthorizationToken

If you want to use AWS managed policies, you can use the following:

• AmazonECS_FullAccess
• AmazonEC2FullAccess
• IAMFullAccess
• AmazonEC2ContainerRegistryFullAccess

The above policies give you all the permissions needed, but are more permissive than necessary.

Docker is also required to build and push images to your registry.

Install the Azure CLI and authenticate with your Azure account.

If you already have the Azure CLI installed, be sure to update to the latest version with az upgrade.

You will also need the following roles in your Azure subscription:

• Contributor
• User Access Administrator
• Application Administrator
• Managed Identity Operator
• Azure Container Registry Contributor

Docker is also required to build and push images to your registry. You can install Docker here.

Install the gcloud CLI and authenticate with your GCP project.

If you already have the gcloud CLI installed, be sure to update to the latest version with gcloud components update.

You will also need the following permissions in your GCP project:

• resourcemanager.projects.list
• serviceusage.services.enable
• iam.serviceAccounts.create
• iam.serviceAccountKeys.create
• resourcemanager.projects.setIamPolicy
• artifactregistry.repositories.create

Docker is also required to build and push images to your registry. You can install Docker here.

Install modal by running:

pip install modal

Create a Modal API token by running:

modal token new

See Run flows on Modal for more details.

Install coiled by running:

pip install coiled prefect-coiled

Create a Coiled API token by running:

coiled login

Connect Coiled to your cloud account by running

coiled setup

or by navigating to cloud.coiled.io/get-started

prefect work-pool create --type ecs:push --provision-infra my-ecs-pool

The --provision-infra flag automatically sets up your default AWS account to execute flows with ECS tasks. In your AWS account, this command creates a new IAM user, IAM policy, and ECS cluster that uses AWS Fargate, VPC, and ECR repository (if they don’t already exist). In your Prefect workspace, this command creates an AWSCredentials block for storing the generated credentials.

Here’s an abbreviated example output from running the command:

_____________________________________________________________________________________________
| Provisioning infrastructure for your work pool my-ecs-pool will require:                   |
|                                                                                            |
|          - Creating an IAM user for managing ECS tasks: prefect-ecs-user                   |
|          - Creating and attaching an IAM policy for managing ECS tasks: prefect-ecs-policy |
|          - Storing generated AWS credentials in a block                                    |
|          - Creating an ECS cluster for running Prefect flows: prefect-ecs-cluster          |
|          - Creating a VPC with CIDR 172.31.0.0/16 for running ECS tasks: prefect-ecs-vpc   |
|          - Creating an ECR repository for storing Prefect images: prefect-flows            |
_____________________________________________________________________________________________
Proceed with infrastructure provisioning? [y/n]: y
Provisioning IAM user
Creating IAM policy
Generating AWS credentials
Creating AWS credentials block
Provisioning ECS cluster
Provisioning VPC
Creating internet gateway
Setting up subnets
Setting up security group
Provisioning ECR repository
Authenticating with ECR
Setting default Docker build namespace
Provisioning Infrastructure ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Infrastructure successfully provisioned!
Created work pool 'my-ecs-pool'!

While the default namespace is set, you do not need to provide the registry URL when building images as part of your deployment process.

To take advantage of this, you can write your deploy scripts like this:

from prefect import flow
from prefect.docker import DockerImage

@flow(log_prints=True)            
def my_flow(name: str = "world"):                          
    print(f"Hello {name}! I'm a flow running in a ECS task!") 


if __name__ == "__main__":
    my_flow.deploy(
        name="my-deployment", 
        work_pool_name="my-work-pool",
        image=DockerImage(                                                 
            name="my-repository:latest",
            platform="linux/amd64",
        )                                                                      
    )       

This builds an image with the tag <ecr-registry-url>/my-image:latest and push it to the registry.

Your image name needs to match the name of the repository created with your work pool. You can create new repositories in the ECR console.

prefect work-pool create --type azure-container-instance:push --provision-infra my-aci-pool

The --provision-infra flag automatically sets up your default Azure account to execute flows through Azure Container Instances. In your Azure account, this command creates a resource group, app registration, service account with necessary permission, generates a secret for the app registration, and creates an Azure Container Registry, (if they don’t already exist). In your Prefect workspace, this command creates an AzureContainerInstanceCredentials block to store the client secret value from the generated secret.

Here’s an abbreviated example output from running the command:

_____________________________________________________________________________________________
| Provisioning infrastructure for your work pool my-aci-work-pool will require:             |
|                                                                                           |
|     Updates in subscription Azure subscription 1                                          |
|                                                                                           |
|         - Create a resource group in location eastus                                      |
|         - Create an app registration in Azure AD prefect-aci-push-pool-app                |
|         - Create/use a service principal for app registration                             |
|         - Generate a secret for app registration                                          |
|         - Create an Azure Container Registry with prefix prefect                           |
|         - Create an identity prefect-acr-identity to allow access to the created registry |
|         - Assign Contributor role to service account                                      |
|         - Create an ACR registry for image hosting                                        |
|         - Create an identity for Azure Container Instance to allow access to the registry |
|                                                                                           |
|     Updates in Prefect workspace                                                          |
|                                                                                           |
|         - Create Azure Container Instance credentials block aci-push-pool-credentials     |
|                                                                                           |
_____________________________________________________________________________________________
Proceed with infrastructure provisioning? [y/n]:     
Creating resource group
Creating app registration
Generating secret for app registration
Creating ACI credentials block
ACI credentials block 'aci-push-pool-credentials' created in Prefect Cloud
Assigning Contributor role to service account
Creating Azure Container Registry
Creating identity
Provisioning infrastructure... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Infrastructure successfully provisioned for 'my-aci-work-pool' work pool!
Created work pool 'my-aci-work-pool'!

While the default namespace is set, any images you build without specifying a registry or username/organization are pushed to the registry.

To use this capability, write your deploy scripts like this:

from prefect import flow
from prefect.docker import DockerImage                                


@flow(log_prints=True)                                                         
def my_flow(name: str = "world"):
    print(f"Hello {name}! I'm a flow running on an Azure Container Instance!") 


if __name__ == "__main__":
    my_flow.deploy(                                                            
        name="my-deployment",
        work_pool_name="my-work-pool",                                    
        image=DockerImage(                                                 
            name="my-image:latest",                                       
            platform="linux/amd64",                                            
        )                                                                 
    )       

This builds an image with the tag <acr-registry-url>/my-image:latest and pushes it to the registry.

prefect work-pool create --type cloud-run:push --provision-infra my-cloud-run-pool 

The --provision-infra flag allows you to select a GCP project to use for your work pool and automatically configures it to execute flows through Cloud Run. In your GCP project, this command activates the Cloud Run API, creates a service account, and creates a key for the service account, (if they don’t already exist). In your Prefect workspace, this command creates a GCPCredentials block to store the service account key.

Here’s an abbreviated example output from running the command:

____________________________________________________________________________________________________________
| Provisioning infrastructure for your work pool my-cloud-run-pool will require:                           |
|                                                                                                          |
|     Updates in GCP project central-kit-405415 in region us-central1                                      |
|                                                                                                          |
|         - Activate the Cloud Run API for your project                                                    |
|         - Activate the Artifact Registry API for your project                                            |
|         - Create an Artifact Registry repository named prefect-images                                    |
|         - Create a service account for managing Cloud Run jobs: prefect-cloud-run                        |
|             - Service account will be granted the following roles:                                       |
|                 - Service Account User                                                                   |
|                 - Cloud Run Developer                                                                    |
|         - Create a key for service account prefect-cloud-run                                             |
|                                                                                                          |
|     Updates in Prefect workspace                                                                         |
|                                                                                                          |
|         - Create GCP credentials block my--pool-push-pool-credentials to store the service account key   |
|                                                                                                          |
____________________________________________________________________________________________________________
Proceed with infrastructure provisioning? [y/n]: y
Activating Cloud Run API
Activating Artifact Registry API
Creating Artifact Registry repository
Configuring authentication to Artifact Registry
Setting default Docker build namespace
Creating service account
Assigning roles to service account
Creating service account key
Creating GCP credentials block
Provisioning Infrastructure ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Infrastructure successfully provisioned!
Created work pool 'my-cloud-run-pool'!

While the default namespace is set, any images you build without specifying a registry or username/organization are pushed to the repository.

To use this capability, write your deploy scripts like this:

from prefect import flow                                                       
from prefect.docker import DockerImage                                


@flow(log_prints=True)
def my_flow(name: str = "world"):
    print(f"Hello {name}! I'm a flow running on Cloud Run!")


if __name__ == "__main__":                                                     
    my_flow.deploy(                                                            
        name="my-deployment",
        work_pool_name="above-ground",
        image=DockerImage(
            name="my-image:latest",
            platform="linux/amd64",
        )
    )

This builds an image with the tag <region>-docker.pkg.dev/<project>/<repository-name>/my-image:latest and pushes it to the repository.

prefect work-pool create --type modal:push --provision-infra my-modal-pool 

Using the --provision-infra flag triggers the creation of a ModalCredentials block in your Prefect Cloud workspace. This block stores your Modal API token, which authenticates with Modal’s API. By default, the token for your current Modal profile is used for the new ModalCredentials block. If Prefect is unable to discover a Modal API token for your current profile, you will be prompted to create a new one.

prefect work-pool create --type coiled:push --provision-infra my-coiled-pool 

Using the --provision-infra flag triggers the creation of a CoiledCredentials block in your Prefect Cloud workspace. This block stores your Coiled API token, which authenticates with Coiled’s API.

To push work to ECS, AWS credentials are required.

Create a user and attach the AmazonECS_FullAccess permissions.

From that user’s page, create credentials and store them somewhere safe for use in the next section.

To push work to Azure, you need an Azure subscription, resource group, and tenant secret.

Create Subscription and Resource Group

1. In the Azure portal, create a subscription.
2. Create a resource group within your subscription.

Create App Registration

1. In the Azure portal, create an app registration.
2. In the app registration, create a client secret. Copy the value and store it somewhere safe.

Add App Registration to Resource Group

1. Navigate to the resource group you created earlier.
2. Choose the “Access control (IAM)” blade in the left-hand side menu. Click ”+ Add” button at the top, then “Add role assignment”.
3. Go to the “Privileged administrator roles” tab, click on “Contributor”, then click “Next” at the bottom of the page.
4. Click on ”+ Select members”. Type the name of the app registration (otherwise it may not autopopulate) and click to add it. Then hit “Select” and click “Next”. The default permissions associated with a role like “Contributor” may not be sufficient for all operations related to Azure Container Instances (ACI). The specific permissions required depend on the operations you need to perform (like creating, running, and deleting ACI container groups) and your organization’s security policies. In some cases, additional permissions or custom roles are necessary.
5. Click “Review + assign” to finish.

You need a GCP service account and an API Key to push work to Cloud Run.

Create a service account by navigating to the service accounts page and clicking Create. Name and describe your service account, and click continue to configure permissions.

The service account must have two roles at a minimum: Cloud Run Developer and Service Account User.

Once you create the Service account, navigate to its Keys page to add an API key. Create a JSON type key, download it, and store it somewhere safe for use in the next section.

You need a Modal API token to push work to Modal.

Navigate to Settings in the Modal UI to create a Modal API token. In the API Tokens section of the Settings page, click New Token.

Copy the token ID and token secret and store them somewhere safe for use in the next section.

You need a Coiled API token to push work to Coiled.

In the Coiled UI click on your avatar and select Profile. Then press the Create API Token button and copy the result. You will need it in the next section.

Navigate to the blocks page, click create new block, and select AWS Credentials for the type.

For use in a push work pool, set the region, access key, and access key secret.

Provide any other optional information and create your block.

Navigate to the blocks page and click the ”+” at the top to create a new block. Find the Azure Container Instance Credentials block and click “Add +”.

Locate the client ID and tenant ID on your app registration and use the client secret you saved earlier. Make sure the value of the secret, not the secret ID.

Provide any other optional information and click “Create”.

Navigate to the blocks page, click create new block, and select GCP Credentials for the type.

For use in a push work pool, this block must have the contents of the JSON key stored in the Service Account Info field, as such:

Provide any other optional information and create your block.

Navigate to the blocks page, click create new block, and select Modal Credentials for the type.

For use in a push work pool, this block must have the token ID and token secret stored in the Token ID and Token Secret fields, respectively.

Navigate to the blocks page, click create new block, and select Coiled Credentials for the type. Provide the API token from the previous section.

Each step has several optional fields that are detailed in the work pools documentation. Select the block you created under the AWS Credentials field. This allows Prefect Cloud to securely interact with your ECS cluster.

Fill in the subscription ID and resource group name from the resource group you created.
Add the Azure Container Instance Credentials block you created in the step above.

Each step has several optional fields that are detailed in Manage infrastructure with work pools. Select the block you created under the GCP Credentials field. This allows Prefect Cloud to securely interact with your GCP project.

Each step has several optional fields that are detailed in the work pools documentation. Select the block you created under the Modal Credentials field. This allows Prefect Cloud to securely interact with your Modal account.

Each step has several optional fields that are detailed in the work pools documentation. Select the block you created under the Coiled Credentials field. This allows Prefect Cloud to securely interact with your Coiled account.