Hi all I am still having an extremely hard time getting this dagster #deployment-ecs

Hi all, I am still having an extremely hard time g...

Lindsay S

01/18/2023, 10:44 PM

Hi all, I am still having an extremely hard time getting this deployed on ecs. Any help would be greatly appreciated The cloud formation fails to create resources for postgres and user_code services and then deletes everything. with the following error:

UsercodeService TaskFailedToStart: Resourceinitializationerror: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post "<https://api.ecr.us-east-1.amazonaws.com/>":

I have also created vpc endpoints with sg and subnets mentioned in run_launcher config for: com.amazonaws.us-east-1.ecr.api com.amazonaws.us-east-1.ecr.dkr com.amazonaws.us-east-1.secretsmananger the default vpc (which is what is set here) allows traffic from igw

Copy code

run_launcher:
  module: "dagster_aws.ecs"
  class: "EcsRunLauncher"
  config:
    run_task_kwargs:
      networkConfiguration:
        awsvpcConfiguration:
          subnets:
            - subnet-xxxxxx
            - subnet-xxxx
          assignPublicIp: true
          securityGroups:
            - vpc-xxxxx

Mike Atlas

01/18/2023, 10:58 PM

my only guess is that your aws account where the cloudformation is trying to run is being constrained by network boundaries like egress firewalls. seems like the CF job is trying to reach out to the ECR API and failing - chalk this up to your environment and not the dagster set up

Mike Atlas

01/18/2023, 11:00 PM

Seems like CF job is also failing to retrieve auth secrets from Secrets Manager, again, probably your environment and not Dagster

Mike Atlas

01/18/2023, 11:00 PM

Possibly the CF job role is constrained ^

Lindsay S

01/18/2023, 11:03 PM

maybe. i will check out that role. do you know if there is a way to see more logs about what is happening?

Mike Atlas

01/18/2023, 11:03 PM

cloudwatch logs maybe?

Mike Atlas

01/18/2023, 11:04 PM

btw, why do you need vpc endpoints for services like

com.amazonaws.us-east-1.ecr.api

Lindsay S

01/18/2023, 11:04 PM

i'm not really sure. the best I could find about this issue was here: https://stackoverflow.com/questions/61265108/aws-ecs-fargate-resourceinitializationerror-unable-to-pull-secrets-or-registry

Mike Atlas

01/18/2023, 11:05 PM

> "In my case granting the IAM privilege
secretsmanager:GetSecretValue
, along with opening up network access, especially as the ECR I'm trying to reach is in another account, were the keys to solving the issue"

Mike Atlas

01/18/2023, 11:06 PM

Comment on that same answer is more along the lines of what I'm guessing is going on

Mike Atlas

01/18/2023, 11:07 PM

But I don't know for sure

Lindsay S

01/18/2023, 11:08 PM

yes, i'll check that, too. I think that privilege is granted. but worth checking again

113 Views

Open in Slack

Previous Next