Skip to content
Fides Configuration
Deploying Fides to Production

Deployment Guide

💡
This guide is intended for production deployments. To quickly experiment with Fides, clone the source repository (opens in a new tab), and use the built-in docker compose configuration to run a demo environment.

A production-ready instance of Fides can be deployed leveraging the cloud infrastructure your organization is most familiar with.

Fully deployed, Fides consists of the following individual systems:

  1. Hosted Database: A PostgreSQL database server used for permanent storage of configuration data for the webserver.
  2. Hosted Cache: A Redis database server used as a temporary cache during execution and task scheduling.
  3. Fides Webserver: The main application, which houses the Admin UI and API endpoints.

Optionally, the Fides Privacy Center can be deployed as a pre-built way to receive privacy requests.

Deployment options

Any Docker host can be used to deploy Fides, and this guide outlines three main deployment options: Helm, Terraform, and Docker. For all options, please refer to our security best practices for recommendations on production infrastructure.

Using Helm

For a Kubernetes deployment, the recommendation option is to use the Fides Helm chart (opens in a new tab).

To install the Helm chart to an existing Kubernetes cluster, run the following commands:

helm repo add ethyca https://helm.ethyca.com
helm pull ethyca/fides

Then, set the required values in a values.yaml file and run

helm install fides ethyca/fides --values values.yaml

For more information on installing the Fides Helm chart, please refer to the Helm chart's README (opens in a new tab)

Using Terraform

For non-Kubernetes deployments, the Fides team maintains a Terraform module (opens in a new tab) to assist in the deployment of Fides.

To install Fides and its required infrastructure using Terraform to AWS Elastic Container Service (ECS), please refer to the Terraform module's README (opens in a new tab)

Using Docker

The remainder of this guide outlines generic steps for manually deploying the databases & Docker images that you can adapt to your preferred Docker host.

Set up the hosted database

Fides uses an application database for persistent storage. Any hosted PostgreSQL database that meets the current project requirements is acceptable, as long as it's accessible.

Options include:

  • A managed PostgreSQL database services (e.g., AWS RDS, GCP Cloud SQL, Azure Database)
  • A self-hosted PostgreSQL Docker container with a persistent volume mount (e.g., a Kubernetes cluster)
  • A self-hosted PostgreSQL server (e.g., an EC2 server)
💡
As long as your database will be accessible by your Fides webserver, there is no need to expose it to the public internet.

Configure your database

Follow the documentation for the option of your choice to configure a production-grade PostgreSQL database.

Once your database is up and running, create a unique user and database for Fides to use, and assign your Fides user a secure password.

Update your Fides configuration

Use your database information to set the following values in your Fides configuration. The options for the [postgres] section of the fides.toml file are outlined below, but may be substituted with environment variables.

NameDefaultDescription
userpostgresThe database user Fides will use to log in to the application database.
passwordfidesThe password for the Fides user.
serverfides-dbThe hostname of the Postgres database server.
port5432The port at which the Postgres database will be accessible.
dbfidesThe name of the Postgres database.

Set up the hosted cache

During privacy request execution, Fides collects result data in a temporary Redis cache that automatically expires to ensure personal data is never retained erroneously. Any hosted Redis database that meets the current project requirements is acceptable, from a Docker Redis (opens in a new tab) container to a managed service (e.g., AWS ElastiCache, GCP Memorystore, Azure Cache, Redis Cloud).

💡
As long as your cache will be accessible by your Fides webserver, there is no need to expose it to the public Internet.

Configure your cache

Follow the documentation for the option of your choice to configure a production-grade Redis cache.

Once your cache is available, ensure you enable a password (via Redis AUTH (opens in a new tab)) to provide additional security, and keep track of your connection credentials.

Update your Fides configuration

Use your database information to set the following values in your Fides configuration. The options for the [redis] section of the fides.toml file are outlined below, but may be substituted with environment variables.

Config VariableExampleDescription
hostN/AThe network address for the application Redis cache.
port6379The port at which the application cache will be accessible.
userN/AThe user with which to login to the Redis cache.
passwordN/AThe password with which to login to the Redis cache.
db_indexN/AThe application will use this index in the Redis cache to cache data.

Set up the webserver

The Fides webserver is a FastAPI (opens in a new tab) application with a Uvicorn (opens in a new tab) server to handle requests. The host requirements for the webserver are minimal:

  • A general purpose webserver (e.g. for AWS EC2, a t2.small or larger)
  • Docker version 20.10.8 or newer (if installing via Docker)
  • OR Python 3.9 or 3.10 (if installing via Python)
  • No persistent storage requirements (this is handled by the hosted database)

Using docker

Ensure that Docker is running on your host, and satisfies the minimum requirements.

Pull the docker image

Run the following command to pull the latest image from Ethyca's DockerHub (opens in a new tab):

docker pull ethyca/fides

Configure Fides

A number of environment variables are required for a minimum working configuration. You can provide a configuration by creating an .env file and passing it in via the --env-file {file} option (opens in a new tab), by providing individual variables with the --env {VAR} option, or directly to your docker host.

At a minimum, you'll need to configure the following:

Config VariableExampleDescription
FIDES__SECURITY__APP_ENCRYPTION_KEYathirtytwocharacterencryptionkeyAn AES256 encryption key used for DB & JWE encryption. Must be exactly 32 characters (256bits).
FIDES__SECURITY__OAUTH_ROOT_CLIENT_IDfidesadminThe client ID used for the "root" OAuth client.
FIDES__SECURITY__OAUTH_ROOT_CLIENT_SECRETfidesadminsecretThe client secret used for the "root" OAuth client.
FIDES__DATABASE__SERVERpostgres.internalThe hostname for your database server.
FIDES__DATABASE__PORT5432The port for your database server.
FIDES__DATABASE__USERfidesThe username Fides should use to access the database.
FIDES__DATABASE__PASSWORDfidessecretThe password Fides should use to access the database
FIDES__DATABASE__DBfidesThe postgres database name.
FIDES__REDIS__HOSTredis.internalThe hostname for your Redis server.
FIDES__REDIS__PORT6379The port for your Redis server.
FIDES__REDIS__PASSWORDfidessecretThe password Fides should use to access Redis.

Start your server

Once pulled, you can start your server with:

docker run ethyca/fides -p 8080:8080

To include your environment variables, you can run the following:

docker run \
  -p 8080:8080 \
  --env FIDES__SECURITY__APP_ENCRYPTION_KEY="athirtytwocharacterencryptionkey" \
  --env FIDES__SECURITY__OAUTH_ROOT_CLIENT_ID="fidesadmin" \
  --env FIDES__SECURITY__OAUTH_ROOT_CLIENT_SECRET="fidesadminsecret" \
  --env FIDES__DATABASE__SERVER="postgres.internal" \
  --env FIDES__DATABASE__PORT="5432" \
  --env FIDES__DATABASE__USER="fides" \
  --env FIDES__DATABASE__PASSWORD="fidessecret" \
  --env FIDES__DATABASE__DB="fides" \
  --env FIDES__REDIS__HOST="redis.internal" \
  --env FIDES__REDIS__PORT=6379 \
  --env FIDES__REDIS__PASSWORD="fidessecret" \
  ethyca/fides

If you prefer to create your .env file and pass an --env-file variable:

docker run \
  -p 8080:8080 \
  --env-file=<ENV FILE NAME>.env \
  ethyca/fides
config.env
FIDES__SECURITY__APP_ENCRYPTION_KEY="athirtytwocharacterencryptionkey" 
FIDES__SECURITY__OAUTH_ROOT_CLIENT_ID="fidesadmin" 
FIDES__SECURITY__OAUTH_ROOT_CLIENT_SECRET="fidesadminsecret" 
FIDES__DATABASE__SERVER="postgres.internal" 
FIDES__DATABASE__PORT="5432" 
FIDES__DATABASE__USER="fides" 
FIDES__DATABASE__PASSWORD="fidessecret" 
FIDES__DATABASE__DB="fides" 
FIDES__REDIS__HOST="redis.internal" 
FIDES__REDIS__PORT=6379 
FIDES__REDIS__PASSWORD="fidessecret"

Note that there's no need for a persistent volume mount. The webserver is fully ephemeral, and relies on the database for its permanent state.

Test the webserver

To test that your server is running, visit http://{server_url}/health in your browser (e.g. http://0.0.0.0:8080/health (opens in a new tab)) and you should see {"webserver": "healthy", "database": "healthy", "cache": "healthy"}.

You can also visit the hosted UI at http://{server_url}/.

Set up the Privacy Center (Optional)

Ensure that Docker is running on your host, and satisfies the minimum requirements.

Run the following command to pull the latest image from Ethyca's DockerHub (opens in a new tab):

docker pull ethyca/fides-privacy-center

More information about configuration options can be found in this guide.

Once pulled and configured, you can run the following within your project to start the server:

docker run --rm \
  -v $(pwd)/config:/app/config \
  -p 3000:3000 ethyca/fides-privacy-center:latest