@Marvin I have an env var I'm setting from a prefect secret in my prefect.yaml. is there any way to obfuscate it in the UI so the raw value doesn't appear in the deployment configuration?

It seems there's no direct mention of obfuscating secrets in the Prefect documentation. However, there's a common practice for managing sensitive information securely which Prefect likely supports. Here's a summary of steps to handle secrets securely in a deployment configuration file: 1. Store secrets externally: Use an external secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault) and ensure your Prefect Agents/Workers have the necessary access. 2. Environment Variables: Set environment variables at runtime instead of including them in

prefect.yaml

. This way, you can inject secrets without exposing them in your configuration. Below are some useful links from the Prefect documentation related to managing job variables: - Overriding job variables - Prefect deployment guide - GCP Worker Guide Using these resources, you should be able to find a method to keep secrets safe while being used in Prefect deployments.

I have an env var I'm setting from a prefect secret in my prefect.yaml

how are you referencing that in the prefect yaml? if you reference the secret directly, it shouldnt show up in the UI and the actual value will be rendered when needed

@Nate something along these lines. maybe because it's in a definition?

definitions:
  work_pools:
    work_pool_stg: &work_pool_stg
      name: my-ecs-pool
      work_queue_name:
      job_variables: &work_pool_stg_job_variables
        env: &work_pool_stg_env_variables
          REDSHIFT_PW: "{{ prefect.blocks.secret.dbt-non-prd }}"

hmm and in the job variables in the UI you're seeing the actual value?

yup, can confirm. happy to hop on a huddle and do a screen share if you want to see

would you mind opening an issue on this?

sure thing, regular bug or ui bug?

I think this will have to do with when we render the value, so a regular bug please

thank you!