Hi everyone is there a way to specify secrets for an ECSTask

Question

Hi everyone is there a way to specify secrets for an ECSTask block Something similar to what can be done in the task definition see attached image from AWS docs

Anna Geller · Answer

curious why do you need it those secrets are exposed as env variables and are meant for secrets strictly needed for a container to run given that infra block deploys a container for a flow run you could leverage Prefect Secret block instead we can certainly expose that but you can do the same via blocks

Tibs · Answer

we needed to load our access keys as env variables one of the use cases is when boto3 reads access keys from env variables

Tibs · Answer

i actually found a way to do it using infra overrides from Deployment but it s still not good enough because we wanted the secrets to only be grabbed from secrets manager for deployment i take them from git variables

Anna Geller · Answer

AWS discourages that You can attach permissions to your secrets manager to your task role no need to bake credentials into a container AWS is right it s really better for security

Anna Geller · Answer

IAM roles can help you attach any permissions needed to access AWS services incl secrets manager access and for non AWS permissions you can use a Secret block

Tibs · Answer

Okay the policy solution for AWS keys is much better so thanks for that We don t really want to move the secrets from AWS to a prefect block AWS secret manager is already a centralized place for us this is why this functionality would be helpful

Anna Geller · Answer

you can use prefect aws for that <https github com PrefectHQ prefect aws blob main prefect aws secrets manager py>