Good evening from Germany, is there a difference h...
# ask-communityf
Florian Kühnlenz
06/23/2021, 6:09 PMGood evening from Germany, is there a difference how I activate cloud secret storage on different clients? Is there an example of how I turn in on in the config? The documentation is not very helpful about how to actually do it, for me at least.
k
Kevin Kho
06/23/2021, 6:10 PM
Hi @Florian Kühnlenz, do you mean like
PREFECT__CLOUD__USE_LOCAL_SECRETS=falsef
Florian Kühnlenz
06/24/2021, 5:24 AMYes. I guess so. But it is not clear to me where I set it for example for the docker client. Is it needed as env var inside the containers? Or just when starting the client?
The documentation also mentions the config.toml but without an example.
Florian Kühnlenz
06/24/2021, 7:15 AMOkay, I think I tried every combination I could think of. I could not make the cloud secret load via PrefectSecret inside a DockerAgent.
k
Kevin Kho
06/24/2021, 1:15 PM
that sounds like it would work. It should already pull the Secret from Cloud when you’re running it on the Docker agent. Did you try the RunConfig? Do you get an error saying something like “Local Secret not found?”
f
Florian Kühnlenz
06/24/2021, 1:28 PMYes I get Local Secret not found. Which run config?
k
Kevin Kho
06/24/2021, 1:37 PM
flow.run_config = DockerRun(env={"PREFECT__CLOUD__USE_LOCAL_SECRETS": "false"})upvote 1
f
Florian Kühnlenz
06/24/2021, 2:08 PMI can try this out. But just for clarification what is the canocial way to set it for the docker agent?
Florian Kühnlenz
06/24/2021, 2:19 PMThis seems to result in the same error. Am I missing something else to configure?
k
Kevin Kho
06/24/2021, 2:32 PM
I don’t think there is anything else to configure. It should work. What is your Prefect version?
f
Florian Kühnlenz
06/24/2021, 2:35 PM0.14.22
But looking at the implementation of the prefect secret it also seems to check if the backend is set to cloud. Does the flow inside the docker container started form the agent know anything about the backend?
k
Kevin Kho
06/24/2021, 2:37 PM
Wait are you on Server or Cloud? It does check but I think the check for Server in that code was to give a definitive error message that Secrets are not supported for Server
f
Florian Kühnlenz
06/24/2021, 2:39 PMI am on cloud. I am just wondering if that is correctly visible for the flow.
k
Kevin Kho
06/24/2021, 2:40 PM
Can you try this and see if it works with the
"PREFECT__CLOUD__USE_LOCAL_SECRETS": "false" Copy code
from prefect.client import Secret
from prefect.client.client import Client
client = Client()
test = client.set_secret(name="MYSECRET", value="MY SECRET VALUE")
print(Secret("MYSECRET").get())Kevin Kho
06/24/2021, 3:01 PM
Ok I got clarification on this from the core team. The use_local_secrets is
truefalseKevin Kho
06/24/2021, 3:02 PM
Testing with the script above and setting
use_local_secretsf
Florian Kühnlenz
06/24/2021, 3:04 PMokay, I did never set up a local env to test interaction with cloud, but this would not explain at all why it did not work out of the box in cloud when deployed.
k
Kevin Kho
06/24/2021, 3:07 PM
Just wanna be sure, are you using the Secret in a Task or Flow?
f
Florian Kühnlenz
06/24/2021, 3:08 PMWe use
password = PrefectSecret("PWD")k
Kevin Kho
06/24/2021, 3:09 PM
Let me check about PrefectSecret. It might be deprecated in favor of Secret
f
Florian Kühnlenz
06/24/2021, 3:10 PMWe essentially copied the example here: https://docs.prefect.io/orchestration/concepts/secrets.html#using-secrets-in-tasks
k
Kevin Kho
06/24/2021, 3:11 PM
Gotcha this should work one sec I’ll try to replicate
f
Florian Kühnlenz
06/24/2021, 3:13 PMI am also trying to get some log output for 30 min but the slow build chain and my brain at the end of a day are really holding me back...
Florian Kühnlenz
06/24/2021, 3:19 PMOkay so I put in a
<http://logger.info|logger.info>(prefect.config.backend)k
Kevin Kho
06/24/2021, 3:22 PM
How are you starting the Docker agent?
f
Florian Kühnlenz
06/24/2021, 3:46 PMvia the commandline 🙂. Anything specific to look for?
k
Kevin Kho
06/24/2021, 4:35 PM
There is a backend.toml file that should say “cloud”. Maybe you can run
prefect backend cloudf
Florian Kühnlenz
06/24/2021, 5:25 PMSo passing the token to the agent and setting the api is not enough? If that is the case it is a little intransparent. I will check tomorrow if this is set.
k
Kevin Kho
06/24/2021, 5:27 PM
Oh I see your point. I think because you can set the API, but that just saves the config. There are some users to toggle back and forth with
prefect backend serverprefect backend cloudf
Florian Kühnlenz
06/25/2021, 6:01 AMI just realized I have the following problem: on the same VM I need to have two docker agents running, where one is connecting to server and one to cloud.
k
Kevin Kho
06/25/2021, 1:39 PM
Were you able to get it working? I think you can do it with the ENTRYPOINT?
f
Florian Kühnlenz
06/25/2021, 8:15 PMWell it seems to be working now. Maybe would it would be good to have a better logging message to make this configuration error easier discoverable?
k
Kevin Kho
06/25/2021, 8:16 PM
You mean logging message of what the backend is right?
f
Florian Kühnlenz
06/28/2021, 9:25 AMSorry for the late reply. I mean two things:
1. When to docker agents starts it could log what mode it is in.
2. The error message if not secret is found could mention the mode
k
Kevin Kho
06/28/2021, 3:53 PM
I definitely agree with number 2, and one should not be hard. 1 may likely be in logged in debug mode. I’ll open an issue for this. Thanks ! 🙂