Fetch alpha-engine-lib PAT from SSM on the spot (not via .env on dispatcher)#45
Merged
Merged
Conversation
….env
Prior pattern (copied from spot_backtest.sh) required the dispatcher's
.env to contain ALPHA_ENGINE_LIB_TOKEN, which the launcher then scp'd
to the spot. Stale convention — the correct source of truth is SSM
Parameter Store (/alpha-engine/lib-token), which is what ae-trading's
boot-pull.sh uses.
Moving the SSM fetch onto the spot itself:
- Dispatcher no longer needs the secret in its .env file
- Secret never rides across scp, ssh argv, or the dispatcher FS
- Spot's IAM profile (alpha-engine-executor-profile) already grants
ssm:GetParameter on /alpha-engine/*
- Single source of truth: rotate SSM once, all launchers pick it up
Also unsets LIB_TOKEN after the git insteadOf rewrite so it doesn't
linger in the spot's environment during the actual workload.
Not modifying spot_backtest.sh / spot_train.sh in this PR — same
refactor applies but those are separate repos with their own merge
cycles. Worth doing for consistency in a follow-up.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Followup fix on top of #44. The smoke test surfaced that `spot_data_weekly.sh` and `spot_drift_detection.sh` were requiring `ALPHA_ENGINE_LIB_TOKEN` in the dispatcher's `.env` — stale pattern copied from `spot_backtest.sh`. The correct source is SSM Parameter Store (`/alpha-engine/lib-token`), same as ae-trading's `boot-pull.sh`.
Change
Moves the PAT fetch from the dispatcher's `.env` (read by the launcher) → onto the spot itself (via `aws ssm get-parameter` in the DEPS step). Dispatcher never handles the secret.
Why now
Blocks smoke test of the spot migration (#44). Without this the dispatcher fails preflight on missing `.env` token.
Not in this PR
`spot_backtest.sh` and `spot_train.sh` have the same stale pattern but live in their own repos (alpha-engine-backtester, alpha-engine-predictor). Worth the same refactor for consistency — opening as followups.
Test plan
🤖 Generated with Claude Code