Hi! Where do you store secrets such as database-co...
# prefect-cloud
s
Hi! Where do you store secrets such as database-connections trings that's usually stored in an .env-file? I don't want to add them in cleartext when setting up a pool or a Process.
r
prefect has secret blocks else depends on the infra you are running on, k8s/aws secret manager etc etc
m
You can take a look at this: https://docs.prefect.io/2.11.3/concepts/blocks/ it might help
s
Thanks! But I get this error?
m
not sure what to do, have not used secrets in the code, only as a part of the prefect.yaml file
s
OK thanks anyway. How do you do it in the yaml-file? I'm assuming you don't store passwords there?
m
it depends on the secret, I suggest reading the deployment section of the docs
s
It's not really making it any clearer 😞 I see an example of pulling a secret when git cloning (which've used), but for setting variables for the flow itself - I don't see anything.
r
did you create a secret block called t when you ran the code above?
s
Yeah, I got that working despite the error in PyCharm.
So I can do it like that, but I'm wondering if I can also specify the env-variables in the prefect.yaml deployment file and link to the secret there, so that it's available at the flows runtime.
I may have found it.
r
cool, we use k8s secrets that are injected using env vars
upvote 1
s
Mind showing me how it looks like?
r
in terms of the job template it does this, which asically pulls in all the secrets from the prefect-flow-secrets group in k8s
Copy code
customizations:
  - op: add
    path: /spec/template/spec/containers/0/envFrom/-
    value:
      secretRef:
        name: prefect-flow-secrets
so it turns all of the secrets in that group into environment variables for the container
c
I’ve done this as well with managed identity for both ACI and AKS (retrieving from azure keyvault), but presumably doable with secrets manager for GCP and AWS as well