Hi, I am running Prefect Server+UI and was able to place it behind an nginx reverse proxy with basic auth. However I'm also trying to secure access using the CLI, and looking through the code it doesn't seem to support passing any kind of auth data when using the

server

backend. Are there any recommended ways of handling server auth through the CLI, and/or is there a possibility of adding some auth options (e.g. basic auth, bearer token) to the CLI when using

server

backend?

Hey @Aric Huang, unfortunately we don’t support auth for server but I know there are a couple of people here who did something. Let me find those threads.

Thanks!

Yeah they are too buried unfortunately. I swear someone attached Azure AD to it, but am not 100% sure. Let’s see if the community can chime in here.

Thanks for checking, would be interested to see what solutions are out there.

This may be worth a read also

Looking at the CLI code it looks potentially doable to add some basic support for reading some credentials (e.g. from a file) and adding a header to the graphql requests - we may try doing that. Do you have a sense whether Prefect would be interested in something like that as a PR?

I honestly doubt it because it would imply that we maintain the solution, but I am sure that documenting your experience through a Github discussion would be a good resource to point people towards

That's fair. I did see that link when searching around, I can appreciate how difficult auth is to get right and that it can be considered out of scope for server. At least for my team's needs I think running our own auth server is fine, but having the CLI requests pass auth data is the only real missing piece.

@Aric Huang Did you find a solution? We use also the auth_basic, and for the graphql access an ip filter:

satisfy any;
allow 123.123.123.123; # ip of your computer which makes the graphql request

@Michael Hadorn I was able to make a few changes to the

prefect

CLI to allow using

prefect auth login

to store basic auth credentials (or a bearer token) and send them with each request. I have these changes on a fork here: https://github.com/concreted/prefect/commit/c0c404e760d32b1eef8c3de6eb6eb0e0be67d153

@Aric Huang Nice! Thanks a lot for sharing

@Aric Huang how did you handle communication between UI and server (apollo)? I've put both behing basic auth, but the problem is that requests from UI to server don't include the authorization header, and I don't see a way to add this

@Marvin archive “Basic Auth in Server” in server

@Tadej Svetina do you mean for the Interactive API tab in the UI? I did find this open issue related to using basic auth with that: https://github.com/PrefectHQ/ui/issues/620

@Aric Huang no, I meant basic UI (in your browser) to API communication - to show you any data, your browser needs to make calls to Apollo, which you have put behind basic auth

the rest of the UI is working fine for me with basic auth except the interactive API tab, i didn't make any other changes or use extensions

Ah got it - I see my problem was giving UI and apollo different URL endpoints...