emre
11/05/2020, 9:47 AMsecrets
that I need to use in most of my tasks in a flow. I hate the visual of an upstream dependency to the same secret task from almost all my tasks. Is there a way for custom secrets to behave like, say AWS_CREDENTIALS
, as per: https://docs.prefect.io/core/concepts/secrets.html#default-secrets
Or a prefect backend compatible way of having my secrets reside in prefect.context
, or a similar context like construct?Joël Luijmes
11/05/2020, 10:20 AMpostgres_secret = prefect.context.secrets.get('POSTGRES')
For which I provide the env as
export PREFECT__CONTEXT__SECRETS__POSTGRES='{
"database": "",
"username": "",
"host": "",
"port": 5432,
"password": ""
}'
emre
11/05/2020, 10:27 AMJoël Luijmes
11/05/2020, 10:30 AMfrom prefect.client.secrets import Secret
s = Secret("POSTGRES")
print(s.get())
That also works for me, so prefect does store it as a secret, regardless of provided name. Or maybe I’m just missing what you want to achive exactly (again prefect is new to me 😅)emre
11/05/2020, 1:35 PMdocker inspect
to find out any secrets.
I actually want my secrets to be read at flow run time, or just before flow run time. I definitely do not want my secrets in the docker image, for the aforementioned case.
What I have in mind is storing my secrets in AWS Secrets Manager. Production machines on AWS will have permission to retrieve secrets from the secret manager. However, people with access to the docker image still can’t retrieve secrets, since they don’t have access to the secret manager.Joël Luijmes
11/05/2020, 1:39 PMemre
11/05/2020, 2:25 PMnicholas
Julian
11/05/2020, 4:32 PMnicholas
Julian
11/05/2020, 4:37 PMemre
11/05/2020, 5:02 PMRadek Tomsej
11/08/2020, 6:36 AMwith Flow("secret") as f:
prefect.context.secrets["MY_KEY"] = func_to_get_secret_from_aws()
I am going to use Hashicorp Vault for storing secrets. So I am probably going to store auth key to Vault in Agent. And then in every Flow I will ask for the secrets with some custom function and store result to contextemre
11/08/2020, 9:21 AMserver
runs.
Passing secrets to agents would work well, I will keep it in mind. Although I would feel better if the secrets were coupled with the flow that needs them, rather than the agent.
I will first try to retrieve and set secrets with a docker entrypoint, if that doesn’t work, passing secrets from an agent will definitely do well.