For running

prefect agent …

on a VM as a service, does anyone have a setup for injecting secrets into the

supervisord.conf

file for the prefect url and api key? A solution with

chamber

would be ideal, but curious about any solution that works

Hi Scott, How are you building / deploying your VM? I was noodling on this for the Azure repo recipe to build and deploy this (I don’t use supervisord, but systemd), but inevitably it becomes kind of a chicken / egg situation (from an initial deployment perspective). You either need to have secrets in a keyvault already existing, and reference those, OR, create a two stage deployment that creates / provisions your secrets first, then references them. Have you considered Kubernetes to use Secrets as well?

Thanks. We’re not at the point of having infra as code recipe for a VM spin up. We aren’t yet at a scale where we need Kubernetes. It’s the “and reference those” part that I am not sure how to do. I thought perhaps there’d be a recipe/example of pulling in secrets from a secrets manager in a conf file for supervisord/systemd?

if you’re not using IaC, the right way to do it (for Azure at least, I believe AWS is quite similar but would need to verify) would be to setup a managed identity and access policy - the secrets would be available on the VM as an environment variable, which could be used in the systemd config

Thanks!