Averell
09/01/2022, 8:10 AM{
"Name": "MY_API_KEY",
"ValueFrom": "${MY_SECRET_ARN}"
}
These secret ARNs are different between our dev/staging/prod env. That ${MY_SECRET_ARN}
is populated by Terraform during our CD process. The daemon will then pass that info down to the worker ECS task.
My run_launcher config is simple like this
run_launcher:
module: dagster_aws.ecs
class: EcsRunLauncher
config:
include_sidecars: true
secrets_tag: "data-dagster-env-var"
All was working fine until I started having secrets in my account, which tagged with the tag key `data-dagster-env-var`: the worker ECS task now configured with the local secrets only (the one with that specified tag), no more secrets copied from the daemon task definition.
We'll be having many local secrets, so configuring them all in the daemon task definition is not practical.
The other option is to have both secrets_tag
and secrets
in the run_launcher configuration, but this means I'll need to have different dagster.yaml
file / docker images for different environments (dev/staging/prod).
secrets_tag
?dagster.yaml
, which will be populated during daemon/dagit startup time?dagster.yam
.
Also, I had a quick look at the source code of that ECS run_launcher, and could see that the list of secrets is built from scratch.
However, I don't understand how the env vars and secrets are initially copied from the daemon - couldn't find that in the code.
One thing I want to change is to separate the aws_logs_group used for the daemon from the one used for the jobs/tasks.