👋 all you dagster+ECS froods. I'm looking for some advice on how to use the dagster-ecs deployment with a

s3_*_io_manager

After following the guide at https://github.com/dagster-io/dagster/tree/0.12.5/examples/deploy_ecs my pipeline kept failing with:

botocore.exceptions.ClientError: An error occurred (403) when calling the HeadBucket operation: Forbidden

I was able to fix this issue by adding the following set of role permissions to the

daemon.x-aws-role

section of

docker-compose.yml

- Effect: "Allow"
          Action:
            - "s3:ListBucket"
            - "s3:GetBucketLocation"
          Resource:
            - "arn:aws:s3:::$BUCKETNAME"
        - Effect: "Allow"
          Action:
            - "s3:GetObject"
            - "s3:PutObject"
          Resource:
            - "arn:aws:s3:::$BUCKETNAME/*"

Is this the "correct" way to address this issue, or should I be doing something else?

that would have been my first guess

Yeah, if you’re using the docker compose for everything else, attaching policies this way would be a good way to go. You’ve perhaps already discovered the official docker compose ECS docs but in case you haven’t seen them yet: https://docs.docker.com/cloud/ecs-integration/#iam-roles

Thanks! (I wish I’d found those docs before I derived the my yaml from first principles :)