Channels
announcements
ask-marvin
best-practices-coordination-plane
data-ecosystem
data-tricks-and-tips
events
find-a-prefect-job
geo-bay-area
geo-berlin
geo-boston
geo-chicago
geo-colorado
geo-dc
geo-israel
geo-japan
geo-london
geo-nyc
geo-seattle
geo-texas
gratitude
introductions
marvin-in-the-wild
pacc-clearcover-june-12-2023
pacc-may-31-2023
ppcc-may-16-2023
prefect-ai
prefect-aws
prefect-azure
prefect-cloud
prefect-community
prefect-contributors
prefect-dbt
prefect-docker
prefect-gcp
prefect-getting-started
prefect-integrations
prefect-kubernetes
prefect-recipes
prefect-server
prefect-ui
random
show-us-what-you-got
Title
b
bruno.corucho
07/10/2020, 1:51 PMDon't mind, adding another question... š£
Topic: Cloud Secrets
Context: My flow is dependent on some Secrets I added to the cloud. I have a custom dockerfile that tries to set things up, with the following code:
COPY configuration /opt/strdata-prefect/configuration
ENV PREFECT__USER_CONFIG_PATH /opt/strdata-prefect/configuration/config.tomlbackend = "cloud"
[cloud]
use_local_secrets = false
[cloud.agent]
name = "strdata-agent"
# Setting it to `DEBUG` for verbose logging
level = "DEBUG"
[logging]
# The logging level: NOTSET, DEBUG, INFO, WARNING, ERROR, or CRITICAL
level = "DEBUG"
# Send logs to Prefect Cloud
log_to_cloud = true
# Extra loggers for Prefect log configuration
extra_loggers = "[]"ValueError: Local Secret "REDSHIFT_PASSWORD" was not found.n
nicholas
07/10/2020, 1:53 PMHi @bruno.corucho - can you confirm you see that secret in the Cloud UI?
b
bruno.corucho
07/10/2020, 1:54 PM1sec, will get you that @nicholas
š 1
Yup,
Also, as you can see, it's still trying to fetch the local secrets š maybe im doing something wrong with my dockerfile or perhaps the environment variable name?
n
nicholas
07/10/2020, 1:57 PMOh! Do you have a
config.toml~/.prefectTake a look at this section of the config page for where that's supposed to go
b
bruno.corucho
07/10/2020, 2:00 PMno, I dont. I'm trying to change the default path to /opt/strdata-prefect/configuration/config.toml by using PREFECT__USER_CONFIG_PATH env. name
n
nicholas
07/10/2020, 2:06 PMGot it @bruno.corucho - so it's possible you have an environment variable for local secrets overriding what's in your config, or that the user config path is incorrect (or not present for whatever reason). If you don't have that environment variable set (
printenvl
Luis Muniz
07/10/2020, 3:28 PMHi @nicholas I have a followup on this issue
š 1
We have determined that we need to add a directive in our Dockerfile
We had the error:
ValueError Local Secret "REDSHIFT_PASSWORD" was not found.ENV PREFECT__CONTEXT__SECRETS__REDSHIFT_PASSWORD "unused"so basically, while registering the flow
prefect calls a healthcheck function
and this function tries to resolve the secrets
and because there is no local secret set up (we are only trying to register the flow, not run it locally)
the register fails during the healthcheck step
The full error trace:
Beginning health checks...
System Version check: OK
Traceback (most recent call last):
File "/opt/prefect/healthcheck.py", line 117, in <module>
flows = cloudpickle_deserialization_check(flow_file_path)
File "/opt/prefect/healthcheck.py", line 39, in cloudpickle_deserialization_check
flows.append(cloudpickle.load(f))
File "/opt/strdata-prefect/strdata/twitch_tasks/collect_streamers.py", line 19, in <module>
API_CLIENT_ID = Secret("API_CLIENT_ID").get() # os.environ["API_CLIENT_ID"]
File "/usr/local/lib/python3.8/site-packages/prefect/client/secrets.py", line 163, in get
raise ValueError(
ValueError: Local Secret "API_CLIENT_ID" was not found.(now it's complaining about another secret, not REDSHIFT _PASSWORD anymore)
So i guess my question is why?
(in case it's not clear I am one of @bruno.coruchoās coworkers)
n
nicholas
07/10/2020, 3:58 PM@Luis Muniz or @bruno.corucho can you share your flow code or a min reproducible example of what you're seeing? I think you may be doing something weird with the secrets cause those shouldn't be resolving on serialization
l
Luis Muniz
07/10/2020, 4:15 PMhi, working on it
is a zip file OK for you?
n
nicholas
07/10/2020, 4:22 PMSure, that'll work
l
Luis Muniz
07/10/2020, 5:19 PMI will try to explain this as well as I can, as I am a python newb.
We were initializing our secrets by assigning them to global variables like this,
REDSHIFT_PASSWORD = Secret("REDSHIFT_PASSWORD").get()
#now defining a tesk
@task
def dosomething():
connect_to_redshift(REDSHIFT_PASSWORD)Apparently by loading this module, pyhton was executing the above assignment
n
nicholas
07/10/2020, 5:25 PM@Luis Muniz since
Secrets@task
def i_need_redshift(redshift_password):
password = redshift_password.get()
# do something with password
with Flow("your_flow") as flow:
redshift_password = Secret("REDSHIFT_PASSWORD")
i_need_redshift(redshift_password)@task
def i_need_redshift(redshift_password):
redshift_password = Secret("REDSHIFT_PASSWORD").get()
# do something with redshift_passwordWe discourage global variables as a rule because tasks are meant to be fully-encapsulated pieces of logic that are able to run independent of the python file they're written in
l
Luis Muniz
07/10/2020, 5:27 PMyes, that's what we found out while trying to create a reproducible example
that by moving them inline the code started working
b
bruno.corucho
07/10/2020, 5:27 PMUnfortunately, on the file where we're assigning our flow, we're importing all method and variables from the file where we have our tasks defined... rip emcapsulation
l
Luis Muniz
07/10/2020, 5:27 PMnow that you mention that they are tasks it makes total sense
that's kind of elegant actually
š 1
n
nicholas
07/10/2020, 5:29 PMYeah it sounds like it'll require a bit of reworking of the code, sorry about that @bruno.corucho - this is a more secure pattern though and prevents secrets from leaking into an unintended context
If you have any more questions about those, feel free to open up a new thread š
b
bruno.corucho
07/10/2020, 5:29 PMtrue, we did not bother about refactoring this code was we were more focused on the full flow executation than the code itself xD
š 1
thanks in advance, sorry for the possible extra time you took on this
n
nicholas
07/10/2020, 5:30 PMNo worries at all, happy to help: )
l
Luis Muniz
07/10/2020, 5:30 PMthanks guys you rock, stellar support