Thread
#prefect-server
    Severin Ryberg [sevberg]

    Severin Ryberg [sevberg]

    2 years ago
    Hello. Here is a question regarding the Self-hosted server. I am able to register & execute flows from a UI (and others, ofc) server hosted on AWS. But as far as I can tell, so can everyone else on the planet. What is the intended way to protect your self-hosted server against misuse? Is there something akin to the cloud API tokens for the OpenSource UI?
    g

    Greg Desmarais

    2 years ago
    Are tou using a VPC? Another option might be to use an ALB with authentication - someyhing like SSO.
    Severin Ryberg [sevberg]

    Severin Ryberg [sevberg]

    2 years ago
    Hi Greg, thanks for the answer. I am using a VPC for both the EC2 instance which hosts the UI server, as well as for the EKS cluster which has prefect agents configured. Unfortunately, at the moment, they are on different VPC's (but this is something which could be sorted out without too much trouble). I have also considered not exposing my VPC at all and instead configure a gateway connection. Would you mind explaining a bit more the idea you have regarding ALB/SSO? All of these solutions should be able to exclude the general public from connection to my Prefect server. Nevertheless, assuming I understood your suggestion appropriately, they also would not help in the sense of user credentials. As a result, all user who has access to the VPC would have full control over the Prefect server's flow registration and scheduling. That is why I was hoping that there would be something akin to Prefect Cloud's API tokens. Do you (any one else) have any thoughts on this?
    g

    Greg Desmarais

    2 years ago
    I have also considered not exposing my VPC at all and instead configure a gateway connection.
    The reason a I mention the VPC is to possibly leverage security groups or even the Net ACL to limit ingress IP addresses. If your potential users come from a certain network - say a vpn or corporate lan - you can restruct who can get to the resource. It does get easier if you create a VPC peer type setup.
    Would you mind explaining a bit more the idea you have regarding ALB/SSO?
    AWS ALB has options for integrating some standards complaint SSO solutions like Okta and OneLogin (OpenID and SAML type stuff). If you lock down the security group for your prefect server to only allow inbound traffic from your ALB, you can put the SSO requirement on the ALB as a gatekeeper. Would also potentially simplify your HTTPS configuration. For one reference (among many): https://www.onelogin.com/blog/aws-alb-openid-connect
    Severin Ryberg [sevberg]

    Severin Ryberg [sevberg]

    2 years ago
    Great, this gives me a few new directions for me to dig into. Thanks a lot for the help!