Hello, I am using prefect open source I have deployed orion server on my k8s, I just want to figure out how I can authenticate my requests to the self hosted orion server via PREFECT_API_KEY to prevent anyone that knows my domain name to send requests to it and cause a workload for my k8s nodes (this our security concern)

Hello Fady, The easiest approach if you don’t need any authentication / authorization beyond your key, would be to setup a reverse proxy, inspect the header and reject any request that doesn’t have your API_KEY set. DNS -> Loadbalancer -> reverse proxy(nginx or similar) -> orion

@Cole Murray Thanks so much

@Cole Murray I’m playing with the Prefect 2 OSS server and have thought about the solution that you outline (using NGiNX). I haven’t tried it yet, but I’m kind of wondering how the the browser front end would react to it. Is there some way to get it to send API keys?

Hi @Dylan McReynolds, I’m not 100% sure I understand the question, but will take a go at it! From my understanding of the question, you’re asking how would the browser send the API keys to the NGINX server. The easiest approach to this is by sending it as a header, e.g. X-API-KEY: MY_SECRET_API_KEY. Be sure to use HTTPS to ensure the headers are encrypted. A stack post outlines a way of implementing this: https://stackoverflow.com/questions/61912336/how-can-i-add-api-key-authentication-in-nginx-proxy (I didn’t heavily read it, but at a glance it looks ok)

@Cole Murray thanks! That’s not quite what I was asking, sorry for being a little vague. The browser app that comes with prefect is very useful. In 2.0, it’s an SPA app where the messages to the API are controlled by the javascript in the browser. My concern is that if we locked down the access to the API with a custom solution within a reverse proxy, that messages from the front end app will not have a way to pick that up and send, say, an api_key.