Skip to main content

Install app via SDR orchestrator Private Preview

Important!

Some capabilities shown here may require additional enablement or licensing. Contact your Atlan representative for details.

This guide walks you through the one-time setup of the SDR Orchestrator on a Linux VM. You download the SDR package, fill in your credentials and infrastructure config, start the orchestrator with Docker Compose (or Podman Compose), and verify the connection in the Atlan UI. For more information about the SDR Orchestrator, see SDR Orchestrator.

System requirements

  • CPU
    • SDR Orchestrator: 0.5 vCPU
    • Per app: 0.5–1 vCPU (varies by app)
  • Memory
    • SDR Orchestrator: 256 MB
    • Per app: 512 MB–1 GB (varies by app)
  • Disk
    • SDR Orchestrator: ~500 MB (SDR image)
    • Per app: ~1–2 GB (image + artifacts)
  • VM sizing guidance
    • Size the VM based on the number of apps you plan to run by adding the SDR Orchestrator requirements and the per-app requirements. For example, a VM running the SDR Orchestrator + 3 apps requires at least 2 vCPUs, 4 GB RAM, and 20 GB disk.

Prerequisites

Setup takes 15–30 minutes. Gather credentials and storage details from your infrastructure team beforehand.

Before you begin, verify you have:

  • Linux host (x86_64 or arm64)—Amazon EC2, on-premises VM, or bare metal. Windows and macOS aren't supported because the SDR requires a native Docker or Podman socket.
  • Docker Engine 20.10+ with Docker Compose plugin, or Podman 4.0+ (rootless) with podman-compose. See Docker Engine install or Podman installation guide.
  • A Docker Hub Personal Access Token (PAT) from your Atlan representative. Required to pull private app images (atlanhq/*).
    • The PAT is regenerated periodically—contact Atlan representative for the latest token.
  • An OAuth client ID and client secret from Atlan representative.
    • The SDR Orchestrator uses these to authenticate with Atlan's Temporal service.
  • Object storage: AWS S3, Google Cloud Storage, Azure Blob Storage, or local file path. See Dapr object store docs.
  • Secret store: AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault, local file, or environment variables. See Dapr secret store docs.
  • Outbound network connectivity (HTTPS + gRPC) to Atlan's Temporal endpoint, Docker Hub (or your private registry), and S3 for configurator artifacts and source-systems.
  • Private image registry (optional)—If you replicate Atlan images to your own registry, it must maintain the same image tags and versioning as the Atlan Docker Hub repository. If the registry requires authentication, only basic auth (username/password) is supported.

Download SDR package

Download the SDR package from Atlan. This archive contains everything you need: docker-compose.yaml, .env, and config.yaml.

curl -fSL -o sdr-orchestrator-docker.tar.gz \
  https://atlan-public.s3.eu-west-1.amazonaws.com/sdr-orchestrator-app/sdr-orchestrator-docker.tar.gz
tar -xzf sdr-orchestrator-docker.tar.gz
cd sdr-orchestrator-docker

The extracted directory contains the following files:

sdr-orchestrator-docker/   # (or sdr-orchestrator-podman/)
├── docker-compose.yaml    # Container definition (image tag pre-filled)
├── .env                   # Atlan credentials and runtime settings
├── config.yaml            # Infrastructure config (domain, components)
└── deployments/           # Auto-populated per-app directories

Prepare host environment

Authenticate with Docker Hub so the SDR can pull private app images.

docker login -u atlanhq
# When prompted for password, enter the PAT provided by Atlan

A "Login Succeeded" message confirms successful authentication.

Configure .env file

Open .env and fill in the required values:

  1. Find your Docker group ID:

    getent group docker | cut -d: -f3

    Common values: 988 (Amazon Linux/RHEL), 999 (Ubuntu/Debian).

  2. Set DOCKER_GID and SDR_DEPLOYMENTS_HOST_DIR in .env using the values from the previous step and the output of echo "$(pwd)/deployments":

    .env
    # OAuth credentials provisioned by Atlan for this SDR deployment.
    ATLAN_AUTH_CLIENT_ID=oauth-client-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
    ATLAN_AUTH_CLIENT_SECRET=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    # Must match atlan.deployment_name in config.yaml.
    SDR_DEPLOYMENT_NAME=my-env

    # Docker group ID from step 1.
    DOCKER_GID=988

    # Absolute host path to the deployments directory (e.g. /home/ubuntu/sdr-orchestrator-docker/deployments).
    SDR_DEPLOYMENTS_HOST_DIR=/home/ubuntu/sdr-orchestrator-docker/deployments

    LOG_LEVEL=INFO

Prepare config.yaml file

Open config.yaml and fill in your infrastructure settings. The file has four sections: Atlan (your tenant domain and deployment name), object storage (where apps transfer data), secret store (where apps retrieve secrets at runtime), and container registry (how to pull private app images).

Atlan identity

  • deployment_name: A unique identifier for this SDR installation (for example, mycompany-ec2). Letters, numbers, hyphens, and underscores only. Must start and end with a letter or number. Must match SDR_DEPLOYMENT_NAME in .env.
  • domain: Your Atlan tenant domain (for example, mycompany.atlan.com). Don't include https://.
atlan:
  deployment_name: "mycompany-ec2"
  domain: "mycompany.atlan.com"

Object storage

Self-Deployed Runtime needs a store for reading or writing files. Configure the object storage under the components: section that matches your environment.

Did you know?

Dapr supports additional object stores which aren't mentioned below. For more information, see Dapr object store documentation for other configurations.

Add AWS S3 configuration. For more information, see AWS S3 Binding Spec.

components:
  objectstore:
    type: bindings.aws.s3
    version: v1
    metadata:
      - name: accessKey #optional, leave this empty for IAM authentication
        value: ""
      - name: secretKey #optional, leave this empty for IAM authentication
        value: ""
      - name: bucket #required, name of the bucket where application can write
        value: "<bucket-name>"
      - name: region #required, region of the bucket where application can write
        value: "<bucket-region>"
      - name: forcePathStyle
        value: "true"

Secret store

Self-Deployed Runtime fetches secrets from a secret store to connect to the source systems. Configure the secret store under the same components: section that aligns with your security infrastructure.

Did you know?

Dapr supports additional secret stores which aren't mentioned below. For more information, see Dapr secret store documentation for other configurations.

Add AWS Secrets Manager configuration. For more information, see AWS Secrets Manager.

components:
  secretstore:
    type: secretstores.aws.secretmanager
    version: v1
    metadata:
      - name: region #required, region in which secret is hosted
        value: "<secret-region>"
        # Needed if IAM authentication is not used
      - name: accessKey
        value: ""
      - name: secretKey
        value: ""

Container registry

App images on Docker Hub (atlanhq/*) are private. The SDR needs credentials to pull them when deploying apps.

PAT rotation

For security reasons, the Docker Hub PAT is regenerated on a periodic basis. If the token is embedded in automation scripts or CI/CD pipelines, those jobs may fail. Contact your Atlan representative for the latest token.

  • base: The Docker Hub image prefix. Use docker.io/atlanhq for Docker Hub (default).
  • username: Your Docker Hub username.
  • password: The Docker Hub PAT provided by Atlan representative.
container_registry:
  base: "docker.io/atlanhq"
  username: "<your-dockerhub-username>"
  password: "<your-dockerhub-pat>"

Sample config.yaml files

Below are complete, copy-paste-ready config.yaml files for common infrastructure combinations. Replace placeholder values with your actual credentials.

atlan:
  deployment_name: "mycompany-ec2"
  domain: "mycompany.atlan.com"

components:
  objectstore:
    type: bindings.aws.s3
    version: v1
    metadata:
      - name: accessKey #optional, leave this empty for IAM authentication
        value: ""
      - name: secretKey #optional, leave this empty for IAM authentication
        value: ""
      - name: bucket
        value: "<your-bucket-name>"
      - name: region
        value: "us-east-1"
      - name: forcePathStyle
        value: "true"

  secretstore:
    type: secretstores.aws.secretmanager
    version: v1
    metadata:
      - name: region
        value: "<secret-region>"
      - name: accessKey
        value: ""
      - name: secretKey
        value: ""

container_registry:
  base: "docker.io/atlanhq"
  username: "<your-dockerhub-username>"
  password: "<your-dockerhub-pat>"

Start SDR orchestrator

docker compose up -d

Verify installation

After starting the SDR:

  1. Check container is running:

    docker ps | grep atlan-sdr

  2. Check logs: Look for "SDR worker listening on task_queue" which confirms Temporal connectivity:

    docker logs atlan-sdr-<deployment-name>

  3. Verify in Atlan UI: Go to Settings > Self-Deployed Runtimes. Your deployment appears as "Connected."

  4. Install apps: From the Atlan UI, select apps to deploy to this SDR. The SDR automatically provisions OAuth credentials, runs the configurator, starts the app container, and notifies Atlan on success.

Need help

If you see "permission denied," "Disconnected" in the Atlan UI, or image pull failures, see the SDR Orchestrator FAQ for troubleshooting steps.

Next steps

Once the SDR shows as Connected in Atlan UI:

  1. Navigate to the Marketplace and pick an app (for example, SAP ERP connector).
  2. Click Install and select your SDR as the deployment target.
  3. The SDR handles everything from there—provisioning credentials, running the configurator, starting the app container, and reporting success back to Atlan. No terminal commands needed.

See also