ECS Instance for running Ersilia Models

[GemmaTuron]

We will start by setting up an ECS instance to run an Ersilia Model

• [x] Share permissions needed for the IAM user (@sucksido )
• [x] Create IAM user (@GemmaTuron )
• [x] Build ECS instance to run MW model (eos3b5e) @sucksido
• [ ] Stress test (thinking of ~ 30 users submitting 1000 molecules to the model) @sucksido
• [ ] Develop easy streamlit app @miquelduranfrigola
• [ ] Write 1 pager summary concepts for users @JHlozek

[sucksido]

Hi @GemmaTuron ,

These are the permissions that I will need assigned for me to deploy docker containers into AWS ECS.

AmazonEC2ContainerServiceFullAccess AmazonEC2ContainerRegistryReadOnly AmazonEC2ContainerRegistryPowerUser IAM role with permissions for ECS tasks

Will advise once I need any additional access once i've stared working on it. Ta!

[sucksido]

Hi @GemmaTuron , I am currently getting this error when i try to create a new task definition:

[sucksido]

and this one when I try to create an ECS instance:

[sucksido]

I need access to the following policies:

"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:eu-central-1:443413310934:instance/*"

"Effect": "Allow",
"Action": "iam:GetRole",
"Resource": "arn:aws:iam::443413310934:role/ecsTaskExecutionRole"

"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:eu-central-1:443413310934:subnet/*"

[GemmaTuron]

Hi @sucksido

I shared with you a list of the available ec2 policies for IAM users. Please let me know which ones I should activate. If we need a custom policy please describe the steps here

[sucksido]

@GemmaTuron Cool, i will re-look at the roles and advise

[sucksido]

I have all the permission I need for now, busy setting up task definition, services and cluster, I have have EC2 instances triggering but can access the public URL as yet, working on getting that to work, attached is the JSON file of what I defined in the task definition. eos3b5eTest001-revision2.json

[sucksido]

@GemmaTuron , I need access to the following which will allow me to look at the logs white the task is running: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:GetLogEvents", "Resource": "arn:aws:logs:eu-central-1:443413310934:log-group:/ecs/eos3b5eTest001:log-stream:*" } ] }

[sucksido]

[GemmaTuron]

Hi @sucksido

Please make sure the resource field is correct. If I add what you have said it seems it will only have access to this one ecs/eos3b5eTest001 ? shouldn't this be across account?

[sucksido]

@GemmaTuron agreed, the access should across not just to this cluster. This is the updated code: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:GetLogEvents", "Resource": "arn:aws:logs:eu-central-1:443413310934:log-group:/ecs/*:log-stream:*" } ] }

[GemmaTuron]

seems something is not right, it pops this message when I try to add it This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition.

[sucksido]

it seems like it might be formatting issue, lets try this one: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "logs:GetLogEvents", "Resource": [ "arn:aws:logs:eu-central-1:443413310934:log-group:/ecs/*", "arn:aws:logs:eu-central-1:443413310934:log-group:/ecs/*:log-stream:*" ] } ] }

[GemmaTuron]

Hello @sucksido the warning is still the same - please make sure to revise the policy

[sucksido]

Hi @GemmaTuron , let me do that now

[sucksido]

@GemmaTuron hope this works: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html

[GemmaTuron]

This seems to work, I've added the policy!

[sucksido]

Thanks, it seems like we are still missing another rule/policy, logs still not loading on my end:

[sucksido]

eos3b5e-task-revision1.json New Task Definition File

[GemmaTuron]

Hi @sucksido sorry I do not understand this last Json file. Is it a rule?

[sucksido]

@GemmaTuron not it's not a rule but JSON used to create task definitions, just saving it here in case i need it in future

[sucksido]

@GemmaTuron for the new policy, we can use try { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] }

[sucksido]

ECS instsnce running:

[GemmaTuron]

Update:

• eos3b5e deployed in an ECS instance
• Stress testing: python script that will send multiple requests to the model
• Fargate: serverless environment to autoscale the model (CPU, memory...)
• SSL certificate - do we need a central portal that then internally distributes to the nonSSL IPs for the models?

To do:

• [ ] Add script to: https://github.com/ersilia-os/aws-utils
• [x] Ensure permissions are right for accessing the Logs @GemmaTuron to meet with Success and solve it
• [ ] Check the "real life" scenario for the workshop (models eos9ei3, eos43at, 1000 molecules as input)

Once the script is moved to aws-utils, we will close this issue and move the discussion to that repository

[sucksido]

Model URLs:

ersiliaos/eos43at = http://3.75.227.184/ ersiliaos/eos3b5e = http://18.199.86.114/ ersiliaos/eos9ei3 = http://35.159.128.242/

[sucksido]

@GemmaTuron i think we can close this because all the To do tasks are done,

[GemmaTuron]

perfect thanks @sucksido