https://prefect.io logo
#prefect-community
Title
# prefect-community
s

scott

12/13/2022, 12:01 AM
For running
prefect agent …
on a VM as a service, does anyone have a setup for injecting secrets into the
supervisord.conf
file for the prefect url and api key? A solution with
chamber
would be ideal, but curious about any solution that works
c

Christopher Boyd

12/13/2022, 2:20 PM
Hi Scott, How are you building / deploying your VM? I was noodling on this for the Azure repo recipe to build and deploy this (I don’t use supervisord, but systemd), but inevitably it becomes kind of a chicken / egg situation (from an initial deployment perspective). You either need to have secrets in a keyvault already existing, and reference those, OR, create a two stage deployment that creates / provisions your secrets first, then references them. Have you considered Kubernetes to use Secrets as well?
s

scott

12/13/2022, 2:57 PM
Thanks. We’re not at the point of having infra as code recipe for a VM spin up. We aren’t yet at a scale where we need Kubernetes. It’s the “and reference those” part that I am not sure how to do. I thought perhaps there’d be a recipe/example of pulling in secrets from a secrets manager in a conf file for supervisord/systemd?
c

Christopher Boyd

12/13/2022, 3:13 PM
if you’re not using IaC, the right way to do it (for Azure at least, I believe AWS is quite similar but would need to verify) would be to setup a managed identity and access policy - the secrets would be available on the VM as an environment variable, which could be used in the systemd config
AWS uses secret manager which is quite similar, although I don’t know if they are 1:1 in process
s

scott

12/13/2022, 4:31 PM
Thanks!
3 Views