For running `prefect agent …` on a VM as a servic...
# ask-community
s
For running
prefect agent …
on a VM as a service, does anyone have a setup for injecting secrets into the
supervisord.conf
file for the prefect url and api key? A solution with
chamber
would be ideal, but curious about any solution that works
c
Hi Scott, How are you building / deploying your VM? I was noodling on this for the Azure repo recipe to build and deploy this (I don’t use supervisord, but systemd), but inevitably it becomes kind of a chicken / egg situation (from an initial deployment perspective). You either need to have secrets in a keyvault already existing, and reference those, OR, create a two stage deployment that creates / provisions your secrets first, then references them. Have you considered Kubernetes to use Secrets as well?
s
Thanks. We’re not at the point of having infra as code recipe for a VM spin up. We aren’t yet at a scale where we need Kubernetes. It’s the “and reference those” part that I am not sure how to do. I thought perhaps there’d be a recipe/example of pulling in secrets from a secrets manager in a conf file for supervisord/systemd?
c
if you’re not using IaC, the right way to do it (for Azure at least, I believe AWS is quite similar but would need to verify) would be to setup a managed identity and access policy - the secrets would be available on the VM as an environment variable, which could be used in the systemd config
AWS uses secret manager which is quite similar, although I don’t know if they are 1:1 in process
s
Thanks!