https://prefect.io logo
Title
t

Tibs

11/17/2022, 1:31 PM
Hi everyone, is there a way to specify secrets for an ECSTask block? Something similar to what can be done in the task definition? (see attached image from AWS docs)
1
a

Anna Geller

11/17/2022, 1:33 PM
curious, why do you need it? those secrets are exposed as env variables and are meant for secrets strictly needed for a container to run -- given that infra block deploys a container for a flow run, you could leverage Prefect Secret block instead we can certainly expose that but you can do the same via blocks
t

Tibs

11/17/2022, 1:39 PM
we needed to load our access keys as env variables, one of the use cases is when boto3 reads access keys from env variables
i actually found a way to do it using _infra_overrides from_ Deployment, but it's still not good enough because we wanted the secrets to only be grabbed from secrets manager (for deployment i take them from git variables)
a

Anna Geller

11/17/2022, 1:58 PM
AWS discourages that. You can attach permissions to your secrets manager to your task role, no need to bake credentials into a container (AWS is right, it's really better for security)
IAM roles can help you attach any permissions needed to access AWS services incl. secrets manager access and for non-AWS permissions you can use a Secret block
t

Tibs

11/17/2022, 4:11 PM
Okay, the policy solution for AWS keys is much better so thanks for that. We don't really want to move the secrets from AWS to a prefect block, AWS secret manager is already a centralized place for us, this is why this functionality would be helpful.
a

Anna Geller

11/17/2022, 4:43 PM