ECSTask - Cannot specify a VPC that is owned by another AWS account

[rudeb0y]

Using ECSTask - If I leave VPC Id configuration out of the infra block, then the tasks will run in the default VPC.

However for a managed VPC - if I set that id, the agent reports the following botocore error:

botocore.errorfactory.InvalidParameterException:
An error occurred (InvalidParameterException) when calling the RunTask operation: 
At least one security group must be supplied when specifying subnets that are owned by a different account.

There is no way to configure the secruity group/subnets currently in 2.4.0 - which was possible in prefect 1 through run_task_kwargs

Ideally, I'd like to use the existing VPC by configuring the security group and subnets.

[anna-geller]

cross-account permissions are generally difficult. I'm curious, why do you need to trigger a run on a different account? do you have an option to execute ECSTask using an IAM user from the same AWS account?

typically, I see AWS accounts being used to separate environments, so I'd expect you would have one account for production and perhaps another for development and the ECS tasks would be triggered by an agent running in the same account

[anna-geller]

I asked and looks like we'll add patches of run task kwargs allowing you to do that very similarly to 1.0

[zanieb]

Just to check, is there a way we can detect the security groups when we inspect the VPC?

[anna-geller]

No, security groups are independent of VPCs and subnets, users would need to specify it on run_task_kwargs, or we could allow providing this in the same way as we do with launchType:

"networkConfiguration": { 
      "awsvpcConfiguration": { 
         "assignPublicIp": "string",
         "securityGroups": [ "string" ],
         "subnets": [ "string" ]
      }
   },

[wfclark5]

Having the ability to set run_task_kwargs would also allow for ephemeral storage on Fargate tasks. https://docs.aws.amazon.com/AmazonECS/latest/developerguide/fargate-task-storage.html