https://prefect.io logo
#prefect-community
Title
# prefect-community
b

bruno.corucho

07/10/2020, 1:51 PM
Don't mind, adding another question... 😣 Topic: Cloud Secrets Context: My flow is dependent on some Secrets I added to the cloud. I have a custom dockerfile that tries to set things up, with the following code:
Copy code
COPY configuration /opt/strdata-prefect/configuration
ENV PREFECT__USER_CONFIG_PATH /opt/strdata-prefect/configuration/config.toml
Config.toml:
Copy code
backend = "cloud"

[cloud]
use_local_secrets = false

    [cloud.agent]
    name = "strdata-agent"

    # Setting it to `DEBUG` for verbose logging
    level = "DEBUG"

[logging]
# The logging level: NOTSET, DEBUG, INFO, WARNING, ERROR, or CRITICAL
level = "DEBUG"

# Send logs to Prefect Cloud
log_to_cloud = true

# Extra loggers for Prefect log configuration
extra_loggers = "[]"
Error Logs:
Copy code
ValueError: Local Secret "REDSHIFT_PASSWORD" was not found.
Thanks again, Prefect Team!
n

nicholas

07/10/2020, 1:53 PM
Hi @bruno.corucho - can you confirm you see that secret in the Cloud UI?
b

bruno.corucho

07/10/2020, 1:54 PM
1sec, will get you that @nicholas
šŸ‘ 1
Yup,
Also, as you can see, it's still trying to fetch the local secrets šŸ˜ž maybe im doing something wrong with my dockerfile or perhaps the environment variable name?
n

nicholas

07/10/2020, 1:57 PM
Oh! Do you have a
config.toml
at
~/.prefect
?
Take a look at this section of the config page for where that's supposed to go
b

bruno.corucho

07/10/2020, 2:00 PM
no, I dont. I'm trying to change the default path to /opt/strdata-prefect/configuration/config.toml by using PREFECT__USER_CONFIG_PATH env. name
n

nicholas

07/10/2020, 2:06 PM
Got it @bruno.corucho - so it's possible you have an environment variable for local secrets overriding what's in your config, or that the user config path is incorrect (or not present for whatever reason). If you don't have that environment variable set (
printenv
should confirm this), try moving your config to the normal location and see if that works
l

Luis Muniz

07/10/2020, 3:28 PM
Hi @nicholas I have a followup on this issue
šŸ‘€ 1
We have determined that we need to add a directive in our Dockerfile We had the error:
Copy code
ValueError Local Secret "REDSHIFT_PASSWORD" was not found.
And we solved it by adding this directive:
Copy code
ENV PREFECT__CONTEXT__SECRETS__REDSHIFT_PASSWORD "unused"
so basically, while registering the flow
prefect calls a healthcheck function
and this function tries to resolve the secrets
and because there is no local secret set up (we are only trying to register the flow, not run it locally)
the register fails during the healthcheck step
The full error trace:
Copy code
Beginning health checks...
System Version check: OK
Traceback (most recent call last):
  File "/opt/prefect/healthcheck.py", line 117, in <module>
    flows = cloudpickle_deserialization_check(flow_file_path)
  File "/opt/prefect/healthcheck.py", line 39, in cloudpickle_deserialization_check
    flows.append(cloudpickle.load(f))
  File "/opt/strdata-prefect/strdata/twitch_tasks/collect_streamers.py", line 19, in <module>
    API_CLIENT_ID = Secret("API_CLIENT_ID").get()  # os.environ["API_CLIENT_ID"]
  File "/usr/local/lib/python3.8/site-packages/prefect/client/secrets.py", line 163, in get
    raise ValueError(
ValueError: Local Secret "API_CLIENT_ID" was not found.
(now it's complaining about another secret, not REDSHIFT _PASSWORD anymore)
So i guess my question is why?
(in case it's not clear I am one of @bruno.corucho’s coworkers)
n

nicholas

07/10/2020, 3:58 PM
@Luis Muniz or @bruno.corucho can you share your flow code or a min reproducible example of what you're seeing? I think you may be doing something weird with the secrets cause those shouldn't be resolving on serialization
l

Luis Muniz

07/10/2020, 4:15 PM
hi, working on it
is a zip file OK for you?
n

nicholas

07/10/2020, 4:22 PM
Sure, that'll work
l

Luis Muniz

07/10/2020, 5:19 PM
I will try to explain this as well as I can, as I am a python newb. We were initializing our secrets by assigning them to global variables like this,
Copy code
REDSHIFT_PASSWORD = Secret("REDSHIFT_PASSWORD").get()

#now defining a tesk
@task
def dosomething():
    connect_to_redshift(REDSHIFT_PASSWORD)
Apparently by loading this module, pyhton was executing the above assignment
n

nicholas

07/10/2020, 5:25 PM
@Luis Muniz since
Secrets
are tasks, you're essentially trying to execute the task outside of a Prefect context. My suggestion is to move your secrets into the Flow context like this:
Copy code
@task
def i_need_redshift(redshift_password):
  password = redshift_password.get()
  # do something with password

with Flow("your_flow") as flow:
  redshift_password = Secret("REDSHIFT_PASSWORD")

  i_need_redshift(redshift_password)
or if you'd prefer not to build the task into your dependency tree that way, you can call it inside the tasks that need it instead:
Copy code
@task
def i_need_redshift(redshift_password):
  redshift_password = Secret("REDSHIFT_PASSWORD").get()
  # do something with redshift_password
We discourage global variables as a rule because tasks are meant to be fully-encapsulated pieces of logic that are able to run independent of the python file they're written in
l

Luis Muniz

07/10/2020, 5:27 PM
yes, that's what we found out while trying to create a reproducible example
that by moving them inline the code started working
b

bruno.corucho

07/10/2020, 5:27 PM
Unfortunately, on the file where we're assigning our flow, we're importing all method and variables from the file where we have our tasks defined... rip emcapsulation
l

Luis Muniz

07/10/2020, 5:27 PM
now that you mention that they are tasks it makes total sense
that's kind of elegant actually
šŸ˜„ 1
n

nicholas

07/10/2020, 5:29 PM
Yeah it sounds like it'll require a bit of reworking of the code, sorry about that @bruno.corucho - this is a more secure pattern though and prevents secrets from leaking into an unintended context
If you have any more questions about those, feel free to open up a new thread šŸ™‚
b

bruno.corucho

07/10/2020, 5:29 PM
true, we did not bother about refactoring this code was we were more focused on the full flow executation than the code itself xD
šŸ˜„ 1
thanks in advance, sorry for the possible extra time you took on this
n

nicholas

07/10/2020, 5:30 PM
No worries at all, happy to help: )
l

Luis Muniz

07/10/2020, 5:30 PM
thanks guys you rock, stellar support
2 Views