Hey guys! I’m trying to pass AWS secrets into my flow without getting it printed in plain text anywhere (I’m running the server on a kubernetes cluster). This is how i call the script that defines and registers the flow (as mentioned in https://docs.prefect.io/core/concepts/secrets.html#default-secrets):

PREFECT__CONTEXT__SECRETS__AWS_CREDENTIALS='{"ACCESS_KEY": "<my_key_here>", "SECRET_ACCESS_KEY": "<my_secret_key_here>"}' python create_flow.py

And this is how i internally pass it down into the KubernetesRun method

job_env = {
    "PREFECT__CONTEXT__SECRETS__AWS_CREDENTIALS":
        os.getenv("PREFECT__CONTEXT__SECRETS__AWS_CREDENTIALS"),
    "PREFECT__BACKEND":
        "server"
}

flow.run_config = KubernetesRun(env=job_env,
                                image="ananthutest/prefect-test:latest")

But when i do kubectl describe of the created pod/job in k8s, it shows

PREFECT__CONTEXT__SECRETS__AWS_CREDENTIALS

under

Environment

in plain text. Anyway I can avoid this?

Hey @Ananthapadmanabhan P! Good question, for this you should probably use a kubernetes secret (https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) that you can mount to the jobs that your Agent submits

Thank you for the clarification @Chris White, I’ll try doing that. Also, wondering if Prefect can use the EC2 roles to pull the script from s3, if so could you point me to how i can configure it (currently, not passing secret and access key just fails the flow) ?