In the hybrid cloud is there a way to lock down the agent so it can only run private images? Or is there a way to stop most users from creating new code locations?

Right now any Editor can create code locations, but viewers can't: https://docs.dagster.io/dagster-cloud/account/managing-users#understanding-user-permissions We've been discussing adding a Launcher role (exact name TBD), that would be able to launch runs but not other tasks (such as making code locations)

I thought about that too but Viewers are an enterprise feature. It seems like a lot of access control is only available to that tier including multiple “Full Deployments”. For most users I assume the lower tiers are fine for their controls, but for us the enterprise tier’s access control is necessary for compliance reasons. However we’re too small to pay it either 😆 It would be useful to limit the hybrid agent in some way so it can only run approved images, like from a specific repository

If you’re using the kubernetes agent, there are some ways to restrict this from within your k8s cluster. Not sure if something similar exists for ECS

The ECS version would be using ECR PrivateLink and disabling outbound, but then the agent can’t access Dagster.

Added an internal issue for restricting docker repositories from the dagster side

Thanks for the help!