Skip to main content

Migrate to Self-Deployed Runtime

Deprecation notice

Secure Agent is scheduled for deprecation on June 30, 2026. After this date, Secure Agent deployments no longer receive updates or support. Migrate to Self-Deployed Runtime before the deadline to maintain uninterrupted metadata extraction. If you have existing setups, contact your Account team to plan your migration.

Self-Deployed Runtime (SDR) is the successor to Secure Agent. It provides the same core capability—secure metadata extraction from your infrastructure—with significant improvements in security, performance, and operational flexibility.

Why migrate to SDR

🚀

Atlan Application SDK compatibility

  • Run new connectors built on the Atlan Application SDK
  • Access the latest connector functionality and updates as they ship
  • Future connector development is exclusively on the Application SDK
📦

Fully containerized application logic

  • All application logic is baked into the container image—no more split between Argo templates and app code
  • Each connector is a self-contained, independently versioned image
  • Easier rollback, testing, and version pinning per connector
🌐

Broader platform support

  • Popular container runtimes - Docker, Podman
  • Managed Kubernetes Cloud Clusters - EKS, AKS, GKE
  • RedHat OpenShift
📋

Low/No maintenance

  • Automated app lifecycle management (Orchestrator mode)
  • Centralized monitoring from Atlan UI

For a detailed architecture, security, and deployment comparison, see Secure Agent vs SDR.

What carries over and what changes

Most of your existing setup transfers directly. The migration work is concentrated in deployment infrastructure and authentication—not in reconfiguring your data sources or workflows.

Carries over unchanged:

  • Firewall rules to your source systems (outbound rules to databases, warehouses, and other sources don't change)
  • Object storage bucket or container (same bucket, just different config key names in SDR)
  • Secret store references (vault paths and key names stay the same)
  • Source system credentials (credentials remain in your secret store, SDR retrieves them the same way)

What changes:

  • Authentication: shared API key replaced by per-app OAuth credentials with 15-minute short-lived JWTs that refresh automatically
  • One new firewall rule: outbound gRPC/TLS to <tenant>-temporal.atlan.com:443 (in addition to the existing HTTPS rule)
  • Config key names: setting names change in the new .env and config.yaml. See Configuration mapping

Get started

1

Plan

Choose your deployment mode, gather credentials, and inventory your running connectors.

2

Migrate

Deploy SDR, install connector apps, switch workflows, and validate each extraction.

3

Post-migration

Confirm all workflows have passed validation, then decommission Secure Agent.