Alethia Labs
Job Execution

Worker & Utility Jobs

DEPLOY_WORKER, UPDATE_WORKER, DESTROY_WORKER, and CONNECTION_TEST jobs.

Worker & Utility Jobs

These job types manage Runner infrastructure and validate cloud connections.

DEPLOY_WORKER

Provisions a new cloud-hosted Runner in ECS Fargate.

Use platform credentials

Worker jobs use the platform's own AWS credentials (not the user's cloud identity).

Generate Terraform config

Creates ECS task definition, IAM roles (execution + task), CloudWatch log group, security groups from the Runner templates.

terraform apply

Provisions the infrastructure in the specified region.

Register with Alethia

Calls POST /api/runners/register to create a worker record. Returns the worker ID and token, which are injected as environment variables into the ECS task.

Report results

Job status → SUCCESS. The new Runner boots, registers its heartbeat, and appears as ONLINE in the Runners page.

UPDATE_WORKER

Updates an existing Runner to the latest release.

  1. Updates the ECS task definition with the latest Docker image tag
  2. Forces a new ECS Fargate deployment (--force-new-deployment)
  3. The old task drains gracefully, the new task starts with the updated image

DESTROY_WORKER

Tears down a Runner's infrastructure.

  1. Runs terraform destroy on the Runner's ECS resources
  2. Removes the worker registration from Alethia
  3. Any jobs assigned to this Runner are requeued to other available Runners

CONNECTION_TEST

Validates cloud provider credentials and discovers existing resources.

Assume cloud credentials

Uses the specified cloud identity.

Verify identity

  • AWS: sts:GetCallerIdentity — confirms the assumed role
  • GCP: Token exchange validation
  • Azure: Resource Manager authentication check

Discover resources

Queries the cloud account for existing resources:

VPCs, subnets, hosted zones, IAM users, security groups

VPC networks, subnets, DNS managed zones

VNets, subnets, DNS zones

Cache results

Discovered resources are stored in cloud_identities.credentials (JSONB) for use in the Design a Spec form (e.g., "Use existing VPC" dropdown).

FETCH_RESOURCES

Same as CONNECTION_TEST but without the initial identity verification. Used for refreshing the cached resource list (e.g., when the user clicks "Refresh" in the Provider Ribbon).

Destroy Jobs

How Runner executes DESTROY jobs — terraform destroy with state cleanup.

Cloud Credential Management

How Runner assumes temporary credentials per job for AWS, GCP, and Azure.

On this page

Worker & Utility JobsDEPLOY_WORKERUse platform credentialsGenerate Terraform configterraform applyRegister with AlethiaReport resultsUPDATE_WORKERDESTROY_WORKERCONNECTION_TESTAssume cloud credentialsVerify identityDiscover resourcesCache resultsFETCH_RESOURCES