Bring your towel and join one of the fastest growing data communities. Welcome to our second-generation open source orchestration platform, a completely rethought approach to dataflow automation.

Prefect Community

Hey everyone. Prefect Cloud user here. I know that in  Prefect Cloud our actual code stays on our systems - and that our agent (in this case, a K8s agent in AKS) polls prefect cloud to determine when to run a flow (and with what parameters it should run). I was wondering if there are any ways to prevent/limit malicious users from executing in our infrastructure *if an api key with deployment permissions* was accidentally compromised? Is there anything we can do within the agent (or elsewhere) to prevent a bad actor from registering a flow with Prefect Cloud that could then get picked up by our agent?

I think you are imagining somehow limiting the IP of machines that can register Flows so that even if the API key is compromised, we could reject new flows from being created from other places?

Yeah - that would do it. Is that a feature? Can we whitelist IPs that are able to access/register within Prefect Cloud?

Not a feature at the moment but with Orion (Prefect 2.0), you can host it in your infrastructure that could control those connections.