Channels
pacc-may-31-2023
prefect-ai
pacc-clearcover-june-12-2023
marvin-in-the-wild
data-ecosystem
geo-israel
pacc-june-14-2023
geo-japan
pacc-london-2023
prefect-cloud
ppcc-may-16-2023
prefect-azure
prefect-docker
prefect-recipes
gratitude
geo-nyc
geo-bay-area
geo-boston
geo-london
geo-dc
geo-chicago
geo-berlin
geo-texas
geo-seattle
geo-colorado
prefect-community
data-tricks-and-tips
prefect-aws
prefect-gcp
introductions
find-a-prefect-job
prefect-dbt
random
events
ask-marvin
show-us-what-you-got
prefect-getting-started
prefect-integrations
prefect-contributors
best-practices-coordination-plane
announcements
prefect-server
prefect-ui
prefect-kubernetes
Title
c
chicago-joe
06/09/2022, 5:13 PMRUN export PREFECT__CONTEXT__SECRETS__AWS_CREDENTIALS=$(echo `(aws secretsmanager get-secret-value --secret-id ${prefect_aws_secret_name} --region ${region}) | jq -r '.SecretString'`)✅ 1
k
Kevin Kho
06/09/2022, 5:46 PMI haven’t tried this. Do you get an ENV variable or no env variable at all? Are you using ECS run?
What is the use case here? Cuz you can just give a role to the container and then you bypass this?
c
chicago-joe
06/09/2022, 5:49 PMDepending on whether I have ENV set before or after the RUN command, I will get an ENV variable but it is either blank or equal to the string "PREFECT__CONTEXT__SECRETS__AWS_CREDENTIALS"_
this dockerfile is built using ecs and I can verify that it is able to pull the secrets from secretsmanager. The trouble is having the secret stay as an env variable in the final image.
The use case is that I'm a developer and I want to debug a script locally, my script uses one or more of the Prefect AWS Tasks, but I'm unable to authenticate because of the missing env variable
we don't want to use ~/.aws/credentials, anything hardcoded into a file
k
Kevin Kho
06/09/2022, 5:59 PMI personally can’t see anything wrong with the attempt based on this
m
Marcin Grzybowski
06/09/2022, 6:14 PMmaybe a better way is to provide envs in run docker -e or in docker compose? not to hardcode it into dockerfile, which usually is pushed into repo ?
c
chicago-joe
06/09/2022, 6:19 PMwould i be able to provide the aws secretsmanager command using -e?
k
Kevin Kho
06/09/2022, 6:42 PMI don’t think so from the Prefect CLI
a
Anna Geller
06/09/2022, 7:17 PMMarcin gave a great suggestion and I would go even as far as saying that you shouldn't use AWS key pair for anything else other than local development - for local development you can mount your home .aws folder to your root container folder
And for production you should use IAM roles instead
c
chicago-joe
06/09/2022, 7:49 PM@Dave Thomas @Anna Geller agreed, but we'd like to access the key pair using aws secretsmanager inside the image, rather than distributing different key pairs to each dev user individually
a
Anna Geller
06/09/2022, 8:02 PMin that case:
• for development, you should bind mount the credential file
• for production, you should assign the IAM role allowing secrets manager access
Joe, I just wrote a Discourse topic for you showing how to do it https://discourse.prefect.io/t/how-to-bind-mount-a-volume-to-a-flow-run-container-for-e[…]unting-a-volume-with-aws-credentials-to-a-docker-agent/595
the easiest is by attaching it to your Docker agent:
prefect agent docker start --label AGENT_LABEL --volume ~/.aws:/root/.awsdefinitely, as @Marcin Grzybowski correctly mentioned, baking the credentials directly into the image would be a security risk, but mounting as shown here would be a slightly better approach as you wouldn't risk those credentials would be baked into image directly and pushed to some registry
🙌 1