hi y all we re looking at setting up Dagster Cloud Hybrid vi dagster #dagster-plus

hi y'all! we're looking at setting up Dagster Clou...

sri raghavan

03/08/2023, 7:30 PM

hi y'all! we're looking at setting up Dagster Cloud Hybrid via the "new VPC" CloudFormation stack, and just wanted to clarify some of the required permissions. 🧵

sri raghavan

03/08/2023, 7:31 PM

In particular, we're a bit concerned about the below stanza:

Copy code

Statement:
              - Effect: Allow
                Action:
                  - ecs:ListTagsForResource
                  - secretsmanager:DescribeSecret
                  - secretsmanager:GetSecretValue
                  - secretsmanager:ListSecrets
                Resource: "*"

this seems like it's giving the dagster agent access to all secrets in our AWS account?

jordan

03/08/2023, 11:04 PM

The wildcard match is because we’re not opinionated about how you choose to name any secrets you want to expose to your agent: https://docs.dagster.io/dagster-cloud/deployment/agents/amazon-ecs/configuration-reference#environment-variables-and-secrets But in general, the quickstart template is just to get you up and running. Most of our hybrid users end up modifying it to fit their needs (changing networking, IAM permissions, capacity providers, etc.)

sri raghavan

03/08/2023, 11:20 PM

ok - it sounds like you're saying "by default, the agent can read all secrets, in case we need it to"?

sri raghavan

03/08/2023, 11:21 PM

(does the agent need to read secrets in order to communicate with the control plane?)

sri raghavan

03/08/2023, 11:40 PM

and maybe a relevant piece of feedback here is that it'd be really helpful for the stack template to be annotated (so users like us know what the different permissions are needed for on the Dagster side)

👍 1

jordan

03/09/2023, 12:55 AM

Secrets are not required for communicating with the control plane. But they’re often necessary for your jobs to connect to any external resources. The cloudformation template biases toward quick onboarding. https://docs.dagster.io/dagster-cloud/deployment/agents/amazon-ecs/manually-provisioning-ecs-agent goes into a bit more detail about actual requirements although it too admittedly doesn’t go into detail on the minimally viable set of IAM permissions. The feedback about better documenting the template is good - I’ll make sure it gets passed along.

sri raghavan

03/09/2023, 1:26 AM

Thanks! We decided to manually allow-list individual secrets we want the code running in dagster to have access to (e.g., read-only access to our production DB is sufficient for now)

👍 1

2 Views

Open in Slack

Previous Next