Creating a manually-provisioned Amazon Elastic Container Services agent#

This guide is applicable to Dagster Cloud.

In this guide, you'll manually set up and deploy an Amazon Elastic Container Service (ECS) agent. Amazon ECS agents are used to launch user code in ECS tasks.

This method of setting up an Amazon ECS agent is a good option if you're comfortable with infrastructure management and want to fully define your agent.

Prerequisites#

To complete the steps in this guide, you'll need:

In Dagster Cloud:
- Your organization and deployment names.
- Permissions in Dagster Cloud that allow you to manage agent tokens. Refer to the User permissions documentation for more info.
Permissions in Amazon Web Services (AWS) that allow you to:
- Create and configure ECS services.
- Create and configure IAM roles.
Familiarity with infrastructure management and tooling.

Step 1: Generate a Dagster Cloud agent token#

In this step, you'll generate a token for the Dagster Cloud agent. The Dagster Cloud agent will use this to authenticate to the agent API.

Sign in to your Dagster Cloud instance.
Click the user menu (your icon) > Cloud settings.
In the Cloud settings page, click the Configure tokens tab.
Click the + Create agent token button.
After the token has been created, click Reveal token.

Keep the token somewhere handy - you'll need it to complete the setup.

Step 2: Create ECS IAM roles#

To successfully run your ECS agent, you'll need to have the following IAM roles in your AWS account:

Task execution IAM role - This role allows ECS to interact with AWS resources on your behalf, such as pulling an image from ECR or pushing logs to CloudWatch.
Amazon publishes a managed policy called AmazonECSTaskExecutionRolePolicy with the required permissions. Refer to the AWS docs for more info about creating this role.

Task IAM role - This role allows the containers running in the ECS task to interact with AWS.

When creating this role, include the permissions required to describe and launch ECS tasks. For example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeRouteTables",
        "ecs:CreateService",
        "ecs:DeleteService",
        "ecs:DescribeServices",
        "ecs:DescribeTaskDefinition",
        "ecs:DescribeTasks",
        "ecs:ListAccountSettings",
        "ecs:ListServices",
        "ecs:ListTagsForResource",
        "ecs:ListTasks",
        "ecs:RegisterTaskDefinition",
        "ecs:RunTask",
        "ecs:StopTask",
        "ecs:TagResource",
        "ecs:UpdateService",
        "iam:PassRole",
        "logs:GetLogEvents",
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue",
        "secretsmanager:ListSecrets",
        "servicediscovery:CreateService",
        "servicediscovery:DeleteService",
        "servicediscovery:ListServices",
        "servicediscovery:GetNamespace",
        "servicediscovery:ListTagsForResource",
        "servicediscovery:TagResource"
      ],
      "Resource": "*"
    }
  ]
}

You can also include any additional permissions required to run your ops, such as permissions to interact with an S3 bucket.

Note: Both roles must include a trust relationship that allows ECS to use them:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Step 3: Create an ECS service#

Create an ECS service to run the agent. You can do this in the Amazon ECS console or via the CreateService API.
Use the official dagster/dagster-cloud-agent image as the service's Task definition. This image can be used as-is or as a base layer for your own image.
Add a configured dagster.yaml file to your container. You can do this by:
- Building it into your image
- Mounting a volume, or
- Echoing it to a file in your task definition's command before starting the agent
Refer to the ECS configuration reference for more info about the required fields.

Amazon ECS configuration reference#

This section describes the properties of the dagster.yaml configuration file used by Amazon ECS agents.

instance_class:
  module: dagster_cloud
  class: DagsterCloudAgentInstance

dagster_cloud_api:
  agent_token:
    env: DAGSTER_CLOUD_AGENT_TOKEN
  deployment: <Deployment>

user_code_launcher:
  module: dagster_cloud.workspace.ecs
  class: EcsUserCodeLauncher
  config:
    cluster: <Cluster Name>
    subnets:
      - <Subnet Id 1>
      - <Subnet Id 2>
    service_discovery_namespace_id: <Service Discovery Namespace Id>
    execution_role_arn: <Task Execution Role Arn>
    task_role_arn: <Task Role Arn>
    log_group: <Log Group Name>

dagster_cloud_api properties#

Property	Description
deployment	The name of the Dagster Cloud deployment associated with the agent.

user_code_launcher properties#

Property	Description
config.cluster	The name of an ECS cluster with a Fargate capacity provider.
config.subnets	At least one subnet is required. Fargate tasks require a route to the internet so they can pull images. How this requirement is satisfied depends on the type of subnet provided: Public subnets - The ECS agent will assign each task a public IP address Private subnets - The ECS agent assumes you've configured a NAT gateway with an attached NAT gateway. Tasks will not be assigned a public IP address.
config.service_discovery_namespace_id	The name of a private DNS namespace. The ECS agent launches each user code repository location as its own ECS service. The agent communicates with these services via AWS CloudMap service discovery.
config.execution_role_arn	The ARN of the Amazon ECS task execution IAM role. This role allows ECS to interact with AWS resources on your behalf, such as getting an image from ECR or pushing logs to CloudWatch. Refer to Step 2 of this guide for more info. Note: This role must include a trust relationship that allows ECS to use it.
config.task_role_arn	The ARN of the Amazon ECS task IAM role. This role allows the containers running in the ECS task to interact with AWS. Refer to Step 2 of this guide for more info. Note: This role must include a trust relationship that allows ECS to use it.
config.log_group	The name of a CloudWatch log group.

Next steps#

Now that you've got your agent running, what's next?

If you're getting Dagster Cloud set up, the next step is to add a code location using the agent.
If you're ready to load your Dagster code, refer to the Adding Code to Dagster Cloud guide for more info.