hi all – I have a question about best practices around using secrets. I'm migrating a script to Pref...

Sean Talia

04/16/2021, 7:07 PM

hi all – I have a question about best practices around using secrets. I'm migrating a script to Prefect that has depended on a sensitive value being stored as an environment variable. Initially I was thinking to just using a

Secret

to set this sensitive value as one of the run config's environment variables, e.g.

env = { 'SECRET_KEY' : Secret("SECRET_VALUE").get() }

, but I'm wondering if this raises some kind of security issue when registering the flow to my Cloud instance. In this setup, would this

Secret

value be retrieved at the time of registration and then sent to Prefect Cloud as a part of the flow's metadata? Or would Prefect know that this env variable should be brought into the run config container only at flow runtime, and it's perfectly safe to do something like this?

Sean Talia

04/16/2021, 7:09 PM

would a better solution here be to just use a

SecretTask

to set the env var?

Kevin Kho

04/16/2021, 8:47 PM

Hi @Sean Talia! What RunConfig would you be using in this case?

Sean Talia

04/16/2021, 8:48 PM

just the

DockerRun

config

Kevin Kho

04/16/2021, 8:53 PM

I think this might fail because Secrets are evaluated at runtime while the RunConfig is evaluated at build time. But even if it does work, yes I think this would be a security issue and it will be sent to Prefect Cloud as part of metadata.

👍 1

Kevin Kho

04/16/2021, 8:54 PM

I think your hunches are absolutely right and it is likely not safe to do this because it’s outside of design.

Sean Talia

04/16/2021, 8:54 PM

okay perfect, thanks for confirming @Kevin Kho !

Open in Slack

Previous Next

Prefect Community

Bring your towel and join one of the fastest growing data communities. Welcome to our second-generation open source orchestration platform, a completely rethought approach to dataflow automation.