Hey Everyone I was doing some cleanup on the metaflow cloudf Outerbounds #dev-metaflow

Hey Everyone, I was doing some cleanup on the meta...

damp-lizard-48279

07/01/2021, 10:52 PM

Hey Everyone, I was doing some cleanup on the metaflow cloudformation template, I came across this Role called

ECSRole

defined here https://github.com/Netflix/metaflow-tools/blob/24d0ef0228c3a7bcf9e75e0aa791e76bd091c2e3/aws/cloudformation/metaflow-cfn-template.yml#L222. I don’t see this being used anywhere. Is my understanding correct? And if yes, can we get rid of this?

✅ 1

straight-shampoo-11124

07/01/2021, 11:08 PM

@purple-engineer-56290 can you share context about it?

purple-engineer-56290

07/02/2021, 12:19 AM

This is anecdotal, but ECSRole seems to be a holdover from an old best-practice in ECS Cloudformation templates to create the "service linked role" required for ECS, as (apparently) there were some situations where it either wouldn't get created, or certain types of environments needed extended permissions for the ECS service.

purple-engineer-56290

07/02/2021, 12:23 AM

Most (if not all) of those permissions have been roled into the automatic 'AWSServiceRoleForECS' service-linked role, which now gets linked automagically the same way most service roles do nowadays.

purple-engineer-56290

07/02/2021, 12:26 AM

It's probably safe to remove it, but when we originally pulled over the ECS-endorsed templates to build for Metaflow, it just seemed harmless to leave it alone since the service principal is ecs.amazonaws.com and it already has all those permissions via the service-linked role anyway.

👍 1

damp-lizard-48279

07/02/2021, 3:50 AM

Thanks @purple-engineer-56290 for the detailed background. That makes sense. In that case I’ll remove that. I have tested it out by creating a new Metaflow env without that role and everything seems to be running fine. I’ll do some cleanups and raise a PR

2 Views

Open in Slack

Previous Next