https://outerbounds.com/ logo
Join Slack
Powered by
I was a little confused about this line in the clo...
# dev-metaflow
h
I was a little confused about this line in the cloud formation template : https://github.com/Netflix/metaflow-tools/blob/master/aws/cloudformation/metaflow-cfn-template.yml#L1167 : its a part of the 
custom_access_policy
 and which is given to 
BatchExecutionRole
. Why do we give 
ecs:CreateCluster
 and 
ecs:DeleteCluster
 to that policy ?
1
s
@purple-engineer-56290 can you assist?
p
Lol, you've got fantastic timing, this role is going to be generally unnecessary soon due to this little chestnut recently released by the Batch team: https://aws.amazon.com/about-aws/whats-new/2021/04/aws-batch-simplifies-permissions-introducing-service-linked-roles/
In short, the answer is "_it has to do with the way that AWS service control planes communicate with resources in your account._"
In long, what's happening here is that AWS Batch as a service uses ECS as the runtime for its jobs. ECS is in your account, AWS Batch's control-plane magic is not. To create a compute environment, AWS Batch requires permission to spin up an ECS cluster in your account, and we originally had to create a role per this documentation that lets Batch do its thing. The trust principal on the role is '_Service: [batch.amazonaws.com]'_, so it's just saying that the Batch service is allowed to do those things when you make API calls against it.
BatchExecutionRole is kind of a terrible name now that I think about it, but hindsight is 20/20. 🙂
As of now, though, Batch is using infamous AWS "Service-Linked Roles" which you probably have a dozen of already in IAM under the 'AWSServiceRoleFor<service>' naming convention. They're nice because they're automatically generated the first time you use an AWS service, and contain all the necessary permissions without the pain of needing to make the role yourself. Hooray!
Open in Slack
PreviousNext
Powered by