ran into an interesting issue while trying to set up docker env in hybrid mode I'm trying to inject [gcp service account key as base 64] as env var, since it's a secret I use

sed

to modify

dagster_cloud.yaml

during github actions. A dummy gh actions step to print out the dagster_cloud.yaml shows desired results then when

dagster-io/dagster-cloud-action/actions/hybrid_branch_deploy

executes, apparently the [original dagster_cloud.yaml] is being supplied instead, as in the [edited file via sed] isn't what is supplied during this step

Hey max, this doesn’t directly answer your question but might help - would you have any interest in getting access to this new secrets UI for setting environment variables in your dagster cloud jobs? It lets you set different values for branch deployments: https://dagster.slack.com/archives/C03SMUY0SFQ/p1668129323199809

that would be cool! it would simplify a lot of our workflows actually. :allo-love:

Great! I just added you, if you go to Deployment => Environment variables there's a place where you can add them. Note that your agent and your code will need to be on 1.0.17 or later for the environment variables to be automatically added to your code.

Since you are using GCP, an alternative way to set the service account is using workload identity - https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity . Using this method, you basically map a Kubernetes Service account (ksa) to a Google Service account (gsa). Once you configure them correctly, you only need to set the kubernetes service account for your pods (can be done at the dagster location level, or even at the namespace level), and GKE will setup everything for you. It’s considered safer than injecting the service account as a k8s secret or env variables. It’s also a pain to setup the first time and configure correctly 🙂