Hi all, I have a question regarding secrets for AWS ECS run_launcher. I have some secrets stored in external AWS account (not same as the account hosting ECS), and I set them in the ECS task definition for Dagster daemon, like

{
  "Name": "MY_API_KEY",
  "ValueFrom": "${MY_SECRET_ARN}"
}

These secret ARNs are different between our dev/staging/prod env. That

${MY_SECRET_ARN}

is populated by Terraform during our CD process. The daemon will then pass that info down to the worker ECS task. My run_launcher config is simple like this

run_launcher:
  module: dagster_aws.ecs
  class: EcsRunLauncher
  config:
    include_sidecars: true
    secrets_tag: "data-dagster-env-var"

All was working fine until I started having secrets in my account, which tagged with the tag key `data-dagster-env-var`: the worker ECS task now configured with the local secrets only (the one with that specified tag), no more secrets copied from the daemon task definition. We'll be having many local secrets, so configuring them all in the daemon task definition is not practical. The other option is to have both

secrets_tag

and

secrets

in the run_launcher configuration, but this means I'll need to have different

dagster.yaml

file / docker images for different environments (dev/staging/prod). Is there any option to have combined secrets list: from the daemon and from that

secrets_tag

? Or, is there any option to have a parameterised

dagster.yaml

, which will be populated during daemon/dagit startup time? Thanks. ======== edited ========== I found the guide for using env vars in

dagster.yam

. Also, I had a quick look at the source code of that ECS run_launcher, and could see that the list of secrets is built from scratch. However, I don't understand how the env vars and secrets are initially copied from the daemon - couldn't find that in the code. One thing I want to change is to separate the aws_logs_group used for the daemon from the one used for the jobs/tasks.