Security

What permissions do Prefect workers require? (Linux and Docker)

• Both types of workers run as as lightweight Python polling services. All workers require access to the hosted API (for self-hosted, or, Prefect Cloud) over port 443.
• The process worker needs permissions to create / fork new subprocesses on the execution environment it is running on.
• The Docker worker needs to have permissions to create new containers. The Docker python client is used to create up these new containers.
• For both workers, access to the filesystems and directories where flow code is stored.
• Documentation and Code for Docker worker can be found here
• Documentation and Code for Process worker (Linux) can be found here

Can a worker authenticate using an API key to 2 different service accounts?

• Service accounts and API keys are 1:1; one API key maps to a single service account only.
• A worker can use any API key (service account or user) provided it has the Worker role or above.
• Only one API key is passed to the worker configuration and is used to communicate with the Prefect Cloud API to orchestrate work.

In the cloud docs, user accounts page talks about personal accounts. Can you clarify the definition of personal accounts?

• Personal accounts are no longer available.
• Personal account were previously Prefect accounts without organization features.

Do users have the ability to create PAT? What restrictions are available for such a feature, if any?

• Users have the ability to create API Keys that are associated to their User. The API key holds the same permissions and restrictions as the user that generated it. More information about the roles a user can have as well as what each permission means in the below docs.
  • User and Service Account Roles
  • Workspace Role Permissions

Can workspaces be shared to users outside our organisation? Is Guest access permitted?

• There is no concept of “Guest access” in Prefect.
• All access to Prefect Cloud requires an authenticated user.
• Users can be assigned permissions similar to a guest, such as "Viewer" or "Runner" access roles.
• More information on these roles can be found here.

Can the workspace be transferred to another account or Prefect Cloud instance altogether?

• Workspaces can be transferred between Organizations in the UI on the Workspace Settings section on the left side navigation (General > ellipsis in top right corner > Transfer) within the same instance.
• These workspaces cannot be transferred between separate Prefect Cloud Instances (i.e. between Self Managed Prefect and Prefect Cloud Enterprise)

Is PrivateLink or ExpressRoute supported?

• PrivateLink and ExpressRoute should function if implemented, however, Prefect has not tested Self Managed environments using these technologies at this time.

Are other ingress controllers supported?

• While other ingress controllers might be technically capable to support the application and API, Prefect has focused development focus on Istio and Nginx.

Where, and how are Prefect Blocks stored?

• Prefect blocks are stored encrypted in the Postgres database using AES-256.