Hi #CL09KU1K7 I am hosting Prefect on Kubernetes and have created an Ingress so that’s it’s available from outside Kubernetes. It all works fine. However I don’t understand the API KEY. Even when I set it the api doesn’t actually require a key. It works without providing a key. I can see the key is set in the UI Settings > Server Settings > api > key: “**********”. Has anybody managed to secure the API on a self-hosted instance?

Yeah, i just put it in private load balancer and making it load only if aws VPN is connected. You could probably use any nginx basic Auth or something

I was thinking about the nginx basic auth but wasn’t sure how to configure it correctly so that the prefect CLI would still work

prefect cli uses the cloud client to authenticate, community version does not come with it out of the box. Have a reverse proxy handle auth instead

it requires simple decorator logic to implement some token based auth ,not sure why it was skipped. but yeah, reverse proxy or private endpoint is better

it requires simple decorator logic

not really, but try

@Seb @Constantin Teo @sasidhar I looked in to using Prefect Auth Proxy (https://github.com/softrams/prefect-auth-proxy) but is has some drawbacks: 1. Not updated for Prefect 3 2. It completely breaks the Prefect Web UI as you have to inject the custom tokens in to the javascript API calls the web interface uses. 3. Re: #2, I did not work to figure out if the method described to inject the auth header still worked in Prefect 3 UI javascript code 4. The token management is manually inserting rows in the DB via SQL - simple but not scalable for more than a few tokens (IMHO). Interested in hearing if you have figured something else out.

I used a reverse proxy, but on the other hand created a custom client subclassing

CloudClient

in a fork

Does this solve the Web UI issues? i.e. does your UI work with tokens?

does your UI work with tokens

yes

because you have custom code that prompts for the token or something?