To meet security requirements, we aim to not store any secrets on Prefect Cloud. The “pull” step in our deployments require cloning from a Gitlab repo using an access token. Is there a way to reference this access token without persisting it in Prefect Cloud? 1. Using a gitlab block doesn’t work because it still requires us storing the access token in Prefect Cloud 2. Referencing an environment variable in the “prefect.yaml” still ends up persisting the access token (in plain text as well, which makes this worse than option 1). Is there another option I’m not aware of that would meet our security needs? We are using a k8s workpool to run flows on EKS. It would be great if we could store the access token as an environment variable on our container and only have the deployment reference the variable name. Thanks in advance for your help!

I'm working on something similar where we don't want our secrets storage duplicated for different use cases. We're using Google Secret Manager so I think my approach is to use GcpSecret blocks in Prefect that essentially just point to the Secret in Secret Manager. I'm not sure if it can be referenced within the yaml but maybe this is helpful.

Thanks, John! We’ve done a very similar thing with AWS secrets manager and it’s been working out well for us. The deployment piece is still proving to tricky.