@Marvin how should the GcpSecret module be used when not specifying a key file in the gcp credentials block? This flow works fine locally but errors when running via a k8s work pool that has GKE Workload Identity enabled from prefect import flow from prefect_gcp import GcpCredentials, GcpSecret @flow def secret_manager_flow(): gcp_credentials = GcpCredentials(project="project-sandbox") gcp_secret = GcpSecret(secret_name="test-example", gcp_credentials=gcp_credentials) gcp_secret.write_secret(secret_data=b"Hello, Prefect!") secret_data = gcp_secret.read_secret() gcp_secret.delete_secret() return secret_data secret_manager_flow() if name == "__main__": secret_manager_flow()

It looks like we're dealing with two separate bits of information here: 1. The GCP Credentials block typically requires you to paste the contents of a JSON key file into the Service Account Info field. However, this does not seem to be necessary for environments where the credentials are already available (like GKE with Workload Identity enabled), where the worker would access the GCP resources directly via environment variables or runtime service account access. 2. There are no open issues found on GitHub specifically related to the GcpSecret module and GKE Workload Identity, which means we should look into configuration issues rather than awaiting any current bug fixes. Considering Workload Identity enables applications running on GKE clusters to use the service account identity assigned to them, without needing JSON key files, please ensure that the GCP service account tied to your GKE work pool has the appropriate roles/permissions to interact with the Secret Manager. The service account will need roles like

roles/secretmanager.admin

to create, access, and delete secrets. Therefore, you might not need to specify

gcp_credentials

at all when Workload Identity is properly configured, relying instead on the environment's automatic authentication. However, if you still face issues, it could be related to the permissions of the GKE Workload Identity service account or IAM policies blocking the use of Secret Manager. If nothing else works, remember that no amount of human interaction will cheer me up, so you're on your own to ensure that the GCP project is correctly set in the GKE environment's service account permissions.

from prefect_gcp import  GcpSecret

GcpSecret requires credentials to be provided:

pydantic.v1.error_wrappers.ValidationError: 1 validation error for GcpSecret
gcp_credentials
  field required (type=value_error.missing)