Thread
#prefect-community
    x

    xyzz

    2 months ago
    Regarding Orion: The concept docs contain the following example for RemoteFileSystem:
    fs = RemoteFileSystem(basepath="<s3://my-bucket/folder/>")
    fs.write_path("foo", b"hello")
    fs.save("dev-s3")
    What das fs.write_path do? Store actual content on the fs? Also, is the secret key stored in the prefect database if you pass them to the settings parameter of RemoteFileSystem and then call fs.save? If so, how is ensured only I can read it and not e.g. a admin at prefect?
    Anna Geller

    Anna Geller

    2 months ago
    to see how files are stored, run:
    aws s3 ls <s3://your-bucket/yourpath/>
    they are stored as text files with the deployment ID as name
    to store Secrets for that, you can create a block, or authenticate your AWS CLI in your terminal from which you create the deployment
    x

    xyzz

    2 months ago
    do I understand blocks correctly in that they are encrypted, but if running on prefect cloud the encryption key could theoretically be extracted by you because it is stored on your servers?
    Anna Geller

    Anna Geller

    2 months ago
    Prefect is SOC-2 compliant, certifying that we handle your data with the greatest care and use it only for the purpose that's strictly necessary - does it help? if you have even stricter security requirements, I recommend talking to sales@prefect.io to discuss dedicated hosts
    Billy McMonagle

    Billy McMonagle

    2 months ago
    If this is a concern, you can run your prefect agent and jobs in an environment where they have access to the necessary permissions by using an IAM role rather than by using access keys. For example, I am running on EKS and assign a service account to my jobs, which is linked to an IAM role with the specific permissions. This way, no long-lived credentials need be created or used.