Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PREFECT_API_AUTH_STRING should be a Secret Env var, not a clear text Env var in spawned Runs #442

Open
raayu83 opened this issue Feb 5, 2025 · 2 comments
Open

PREFECT_API_AUTH_STRING should be a Secret Env var, not a clear text Env var in spawned Runs #442

raayu83 opened this issue Feb 5, 2025 · 2 comments
Assignees
@mitchnielsen
Labels
customer-requested open-source security

Comments

@raayu83
Copy link

raayu83 commented Feb 5, 2025

Currently in the spawned run pods, PREFECT_API_AUTH_STRING is created as a clear text Environment Variable, visible to anyone with access to the Kubernetes CLI or UI.
For security reasons, this should be based on a Secret, just as with Worker pods and the Server pod.
@raayu83
Copy link
Author

raayu83 commented Feb 5, 2025

Btw, thanks for implementing Basic Auth in the Helm charts! This helps a lot!

@mitchnielsen
Copy link
Contributor

Hi @raayu83, thanks for reaching out.

In the Deployment manifest template, the auth string can be taken from a Secret if you provide worker.basicAuth.existingSecret. There are some more details available in https://github.com/PrefectHQ/prefect-helm/tree/main/charts/prefect-worker#basic-auth.

Is this what you were looking for?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mitchnielsen mitchnielsen

Labels
customer-requested open-source security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@raayu83 @mitchnielsen @jamiezieziula