Stef van Dijk

06/02/2021, 10:12 AM
Hello! I'm using Prefect Cloud and I like its features. I'm struggling with some security issues at the moment. Is it possible for an agent to be restricted to execute only flows that use local storage? Let's say I have a machine that should never execute harmful flows. Can I make sure that when someone accidentally gets my Prefect credentials, that person can never make the agent on my machine execute a flow that he just registered using my credentials? I want to make this restriction at agent level, because otherwise it seems to me that a hacker could always register a flow living in some github repo and make the agent execute it. Restricting the agent to only execute flows with local storage would prevent this from happening. I hope my question is clear, thanks in advance!


06/02/2021, 2:20 PM
Hi @Stef van Dijk - Prefect doesn't provide a way for you to restrict agents to only run flows of a certain storage type but does let you tag agents to only pick up flows with a full set of matching labels. This is a place where you'll want to read up on things like token and network best practices, to ensure your credentials are never in a situation where they can be compromised; if your Prefect credentials are compromised, someone running an flow using your machine's resources is likely the least of your worries

Stef van Dijk

06/02/2021, 2:57 PM
Ah, that is too bad 😞 Labels however won't protect me from this, since the potential 'hacker' can give the new flow all the labels he wants. Thanks anyway! This saves me a lot of time doing research 😉