Hi everyone, is there a way to specify secrets for...
# prefect-integrations
t
Hi everyone, is there a way to specify secrets for an ECSTask block? Something similar to what can be done in the task definition? (see attached image from AWS docs)
1
a
curious, why do you need it? those secrets are exposed as env variables and are meant for secrets strictly needed for a container to run -- given that infra block deploys a container for a flow run, you could leverage Prefect Secret block instead we can certainly expose that but you can do the same via blocks
t
we needed to load our access keys as env variables, one of the use cases is when boto3 reads access keys from env variables
i actually found a way to do it using _infra_overrides from_ Deployment, but it's still not good enough because we wanted the secrets to only be grabbed from secrets manager (for deployment i take them from git variables)
a
AWS discourages that. You can attach permissions to your secrets manager to your task role, no need to bake credentials into a container (AWS is right, it's really better for security)
IAM roles can help you attach any permissions needed to access AWS services incl. secrets manager access and for non-AWS permissions you can use a Secret block
t
Okay, the policy solution for AWS keys is much better so thanks for that. We don't really want to move the secrets from AWS to a prefect block, AWS secret manager is already a centralized place for us, this is why this functionality would be helpful.
a