Deadline Secrets Management in the RFDK
We highly recommend enabling Deadline Secrets Management
Note
Deadline Secrets Management is supported in RFDK version 0.38.0 and above and Deadline version 10.1.19 and above.
Setting up Deadline Secrets Management in RFDK
Important
Along with setting up Deadline Secrets Management in RFDK, we highly recommend creating dedicated subnets for each component (e.g. RenderQueue
, WorkerInstanceFleet
, SpotEventPluginFleet
, etc.) of your farm to ensure compatibility with Deadline Secrets Management identity registration settings
New in version 0.38.0
When using Deadline 10.1.19 or later, the Repository
construct enables Deadline Secrets Management by default. If no administrator credentials are supplied, RFDK will create a Secret in AWS Secrets Manager with automatically generated credentials for the administrator.
If you would like to create your own credentials for Deadline Secrets Management, you can store them as a Secret in AWS Secrets Manager and provide the Secret to the Repository
construct. This secret must be a JSON document with the following fields:
{ "username": "your_secrets_management_username", "password": "your_secrets_management_password" }
Note
The password
must be at least 8 characters long and contain at least one lowercase letter, one uppercase letter, one symbol and one number.
In your RFDK app, you can provide this Secret to the Repository
construct like this:
Note
Enabling Deadline Secrets Management on the Repository
will implicitly make the RenderQueue
construct configure the Deadline RCS as a Server roleWorkerInstanceFleet
, SpotEventPluginFleet
, and UsageBasedLicensing
constructs.
Using Deadline Secrets Management in RFDK
This section describes how to access and use the resources configured for Deadline Secrets Management by RFDK. For general Deadline Secrets Management usage instructions and information, please refer to the Deadline Secrets Management documentation
Accessing Administrator Credentials
To perform administrative actions with Deadline Secrets Management, such as registering identities, assigning roles, and running Secrets Management administrator commands via DeadlineCommand, you will need to access the Deadline Secrets Management administrator credentials that were provided to the Repository
construct. If you let RFDK generate these credentials, you can find them in AWS Secrets Manager:
-
Navigate to AWS Secrets Manager in the region your RFDK farm is deployed in.
-
Click on the Secret with a name that contains
SMAdminUser
and a description that saysAdmin credentials for Deadline Secrets Management
. -
Under "Secret value", click the "Retrieve secret value" button and you should see your Deadline Secrets Management administrator
username
andpassword
.
Rotating Deadline Secrets Management Administrator Credentials
Rotating the administrator credentials is a two step process:
-
First we change the administrator password in the Deadline Repository. For this you’ll need to get set up for Running Administrator Commands via DeadlineCommand and then follow the changing administrator password instructions
. -
Next we need to make sure the password used by our RFDK app is updated, in case we redeploy anything in the future that needs to use it. To do this, you need to modify the administrator credentials Secret to the new password. To access the administrator credentials, follow the Accessing Administrator Credentials steps and then instructions on how to update the contents of that Secrets can be found in these instructions for modifying a Secret.
Warning
RFDK does not have the ability to rotate the credentials for you. You must change the administrator credentials in Deadline BEFORE changing the values in the AWS Secrets Management Secret that contains the administrator credentials.
Forgotten Deadline Secrets Management Administrator Credentials
By default, the RFDK Repository
construct creates an AWS Secret Manager Secret containing the Deadline Secrets Management administrator credentials with a
removal policy of RETAIN
and destroying the CloudFormation stack that contains the
Secret will not delete it. If you’ve overridden the default removal policy and destroyed the CloudFormation stack, or accidentally deleted the administrator credentials
Secret outside of CDK/CloudFormation, you can attempt to recover it by following the
restore a secret instructions before attempting to reset the password.
If your password isn’t recoverable, you must follow the
administrator password reset instructions
-
Use another adminstrator account to help with the password reset.
-
Uninstall and re-install the Deadline Repository. In RFDK this can be done either by destroying your app and starting over with a fresh deployment, or if you decide you do not want to delete your file system and database, you can follow the "Forgetting a password with no other admin" instructions for re-installing the Deadline Repository.
If you choose to attempt to re-install the Deadline Repository, here are some more detailed instructions for how to perform them in an RFDK deployment that uses the
tiered architecture we recommend in our example app
-
Even though the Deadline Repository gets installed by the
Service Tier
, the file system and database that it gets installed onto are in theStorage Tier
, so we need to make sure we actually run the uninstaller. If yourRenderQueue
has theSessionManagerHelper
applied to it like in our exampleyou can connect to it through the AWS Console using Session Manager, and then run these commands:
$ cd /mnt/repo $ sudo ./uninstall Do you want to uninstall Deadline Repository and all of its modules? [Y/n]: y ---------------------------------------------------------------------------- Uninstall Status Uninstalling Deadline Repository 0% ______________ 50% ______________ 100% ######################################### Info: Uninstallation completed Press [Enter] to continue:
-
Once the Repository is uninstalled you can destroy the
ServiceTier
stack by runningnpx cdk destroy -f "ServiceTier"
from the directory that contains your RFDK app. -
After the
ServiceTier
has been destroyed, it can be redeployed to reinstall the repository and create a new AWS Secrets Manager Secret that contains the administrator credentials.
Running Administrator Commands via DeadlineCommand
Note
If you only need to manage identities in Deadline Secrets Management, you can do so entirely in the Deadline Monitor as long as you have your administrator credentials. This is explained in further detail in Deadline documentation on assigning identity status and roles
Running administrator commands for Deadline Secrets ManagementRenderQueue
, has a direct connection to the Deadline Repository and can be used to run Deadline Secrets Management commands. You can connect to the Deadline RCS by Creating a Remote Terminal Session into the Render Queue.
Once you have connected to the Deadline RCS, you can perform administrative actions with Deadline Secrets Management via DeadlineCommand. The executable for DeadlineCommand is typically located at /opt/Thinkbox/Deadline10/bin/deadlinecommand
. For a list of all Deadline Secrets Management administrator commands, please see the Deadline documentation
Tip
You can store your administrator password in an environment variable and provide the --password env:<YOUR_ENV_VAR>
option to Deadline Secrets Management commands instead of letting the command prompt you for it and entering it in manually.