```RUN export PREFECT__CONTEXT__SECRETS__AWS_CREDE...
# ask-communityc
chicago-joe
06/09/2022, 5:13 PM Copy code
RUN export PREFECT__CONTEXT__SECRETS__AWS_CREDENTIALS=$(echo `(aws secretsmanager get-secret-value --secret-id ${prefect_aws_secret_name} --region ${region}) | jq -r '.SecretString'`)✅ 1
k
Kevin Kho
06/09/2022, 5:46 PM
I haven’t tried this. Do you get an ENV variable or no env variable at all? Are you using ECS run?
Kevin Kho
06/09/2022, 5:48 PM
What is the use case here? Cuz you can just give a role to the container and then you bypass this?
c
chicago-joe
06/09/2022, 5:49 PMDepending on whether I have ENV set before or after the RUN command, I will get an ENV variable but it is either blank or equal to the string "PREFECT__CONTEXT__SECRETS__AWS_CREDENTIALS"_
chicago-joe
06/09/2022, 5:52 PMthis dockerfile is built using ecs and I can verify that it is able to pull the secrets from secretsmanager. The trouble is having the secret stay as an env variable in the final image.
The use case is that I'm a developer and I want to debug a script locally, my script uses one or more of the Prefect AWS Tasks, but I'm unable to authenticate because of the missing env variable
chicago-joe
06/09/2022, 5:53 PMwe don't want to use ~/.aws/credentials, anything hardcoded into a file
k
Kevin Kho
06/09/2022, 5:59 PM
I personally can’t see anything wrong with the attempt based on this
m
Marcin Grzybowski
06/09/2022, 6:14 PMmaybe a better way is to provide envs in run docker -e or in docker compose? not to hardcode it into dockerfile, which usually is pushed into repo ?
c
chicago-joe
06/09/2022, 6:19 PMwould i be able to provide the aws secretsmanager command using -e?
k
Kevin Kho
06/09/2022, 6:42 PM
I don’t think so from the Prefect CLI
a
Anna Geller
06/09/2022, 7:17 PM
Marcin gave a great suggestion and I would go even as far as saying that you shouldn't use AWS key pair for anything else other than local development - for local development you can mount your home .aws folder to your root container folder
And for production you should use IAM roles instead
c
chicago-joe
06/09/2022, 7:49 PM@Dave Thomas @Anna Geller agreed, but we'd like to access the key pair using aws secretsmanager inside the image, rather than distributing different key pairs to each dev user individually
a
Anna Geller
06/09/2022, 8:02 PM
in that case:
• for development, you should bind mount the credential file
• for production, you should assign the IAM role allowing secrets manager access
Anna Geller
06/09/2022, 8:09 PM
Joe, I just wrote a Discourse topic for you showing how to do it https://discourse.prefect.io/t/how-to-bind-mount-a-volume-to-a-flow-run-container-for-e[…]unting-a-volume-with-aws-credentials-to-a-docker-agent/595
Anna Geller
06/09/2022, 8:10 PM
the easiest is by attaching it to your Docker agent:
Copy code
prefect agent docker start --label AGENT_LABEL --volume ~/.aws:/root/.awsAnna Geller
06/09/2022, 8:12 PM
definitely, as @Marcin Grzybowski correctly mentioned, baking the credentials directly into the image would be a security risk, but mounting as shown here would be a slightly better approach as you wouldn't risk those credentials would be baked into image directly and pushed to some registry
🙌 1
9 Views