Hi everyone, is there a way to specify secrets for...
# prefect-integrationst
Tibs
11/17/2022, 1:31 PMHi everyone, is there a way to specify secrets for an ECSTask block? Something similar to what can be done in the task definition? (see attached image from AWS docs)
✅ 1
a
Anna Geller
11/17/2022, 1:33 PM
curious, why do you need it? those secrets are exposed as env variables and are meant for secrets strictly needed for a container to run -- given that infra block deploys a container for a flow run, you could leverage Prefect Secret block instead
we can certainly expose that but you can do the same via blocks
t
Tibs
11/17/2022, 1:39 PMwe needed to load our access keys as env variables, one of the use cases is when boto3 reads access keys from env variables
Tibs
11/17/2022, 1:41 PMi actually found a way to do it using _infra_overrides from_ Deployment, but it's still not good enough because we wanted the secrets to only be grabbed from secrets manager (for deployment i take them from git variables)
a
Anna Geller
11/17/2022, 1:58 PM
AWS discourages that. You can attach permissions to your secrets manager to your task role, no need to bake credentials into a container (AWS is right, it's really better for security)
Anna Geller
11/17/2022, 1:59 PM
IAM roles can help you attach any permissions needed to access AWS services incl. secrets manager access and for non-AWS permissions you can use a Secret block
t
Tibs
11/17/2022, 4:11 PMOkay, the policy solution for AWS keys is much better so thanks for that. We don't really want to move the secrets from AWS to a prefect block, AWS secret manager is already a centralized place for us, this is why this functionality would be helpful.
a
Anna Geller
11/17/2022, 4:43 PM
you can use prefect-aws for that https://github.com/PrefectHQ/prefect-aws/blob/main/prefect_aws/secrets_manager.py
❤️ 2
6 Views