Channels
#prefect-community
Title
# prefect-community
b
bruno.corucho
07/10/2020, 1:51 PMDon't mind, adding another question... š£
Topic: Cloud Secrets
Context: My flow is dependent on some Secrets I added to the cloud. I have a custom dockerfile that tries to set things up, with the following code:
Copy code
COPY configuration /opt/strdata-prefect/configuration
ENV PREFECT__USER_CONFIG_PATH /opt/strdata-prefect/configuration/config.toml Copy code
backend = "cloud"
[cloud]
use_local_secrets = false
[cloud.agent]
name = "strdata-agent"
# Setting it to `DEBUG` for verbose logging
level = "DEBUG"
[logging]
# The logging level: NOTSET, DEBUG, INFO, WARNING, ERROR, or CRITICAL
level = "DEBUG"
# Send logs to Prefect Cloud
log_to_cloud = true
# Extra loggers for Prefect log configuration
extra_loggers = "[]" Copy code
ValueError: Local Secret "REDSHIFT_PASSWORD" was not found.n
nicholas
07/10/2020, 1:53 PM
Hi @bruno.corucho - can you confirm you see that secret in the Cloud UI?
b
bruno.corucho
07/10/2020, 1:54 PM1sec, will get you that @nicholas
š 1
Yup,
Also, as you can see, it's still trying to fetch the local secrets š maybe im doing something wrong with my dockerfile or perhaps the environment variable name?
n
nicholas
07/10/2020, 1:57 PM
Oh! Do you have a
config.toml~/.prefectTake a look at this section of the config page for where that's supposed to go
b
bruno.corucho
07/10/2020, 2:00 PMno, I dont. I'm trying to change the default path to /opt/strdata-prefect/configuration/config.toml by using PREFECT__USER_CONFIG_PATH env. name
n
nicholas
07/10/2020, 2:06 PM
Got it @bruno.corucho - so it's possible you have an environment variable for local secrets overriding what's in your config, or that the user config path is incorrect (or not present for whatever reason). If you don't have that environment variable set (
printenvl
Luis Muniz
07/10/2020, 3:28 PMHi @nicholas I have a followup on this issue
š 1
We have determined that we need to add a directive in our Dockerfile
We had the error:
Copy code
ValueError Local Secret "REDSHIFT_PASSWORD" was not found. Copy code
ENV PREFECT__CONTEXT__SECRETS__REDSHIFT_PASSWORD "unused"so basically, while registering the flow
prefect calls a healthcheck function
and this function tries to resolve the secrets
and because there is no local secret set up (we are only trying to register the flow, not run it locally)
the register fails during the healthcheck step
The full error trace:
Copy code
Beginning health checks...
System Version check: OK
Traceback (most recent call last):
File "/opt/prefect/healthcheck.py", line 117, in <module>
flows = cloudpickle_deserialization_check(flow_file_path)
File "/opt/prefect/healthcheck.py", line 39, in cloudpickle_deserialization_check
flows.append(cloudpickle.load(f))
File "/opt/strdata-prefect/strdata/twitch_tasks/collect_streamers.py", line 19, in <module>
API_CLIENT_ID = Secret("API_CLIENT_ID").get() # os.environ["API_CLIENT_ID"]
File "/usr/local/lib/python3.8/site-packages/prefect/client/secrets.py", line 163, in get
raise ValueError(
ValueError: Local Secret "API_CLIENT_ID" was not found.(now it's complaining about another secret, not REDSHIFT _PASSWORD anymore)
So i guess my question is why?
(in case it's not clear I am one of @bruno.coruchoās coworkers)
n
nicholas
07/10/2020, 3:58 PM
@Luis Muniz or @bruno.corucho can you share your flow code or a min reproducible example of what you're seeing? I think you may be doing something weird with the secrets cause those shouldn't be resolving on serialization
l
Luis Muniz
07/10/2020, 4:15 PMhi, working on it
is a zip file OK for you?
n
nicholas
07/10/2020, 4:22 PM
Sure, that'll work
l
Luis Muniz
07/10/2020, 5:19 PMI will try to explain this as well as I can, as I am a python newb.
We were initializing our secrets by assigning them to global variables like this,
Copy code
REDSHIFT_PASSWORD = Secret("REDSHIFT_PASSWORD").get()
#now defining a tesk
@task
def dosomething():
connect_to_redshift(REDSHIFT_PASSWORD)Apparently by loading this module, pyhton was executing the above assignment
n
nicholas
07/10/2020, 5:25 PM
@Luis Muniz since
Secrets Copy code
@task
def i_need_redshift(redshift_password):
password = redshift_password.get()
# do something with password
with Flow("your_flow") as flow:
redshift_password = Secret("REDSHIFT_PASSWORD")
i_need_redshift(redshift_password) Copy code
@task
def i_need_redshift(redshift_password):
redshift_password = Secret("REDSHIFT_PASSWORD").get()
# do something with redshift_passwordWe discourage global variables as a rule because tasks are meant to be fully-encapsulated pieces of logic that are able to run independent of the python file they're written in
l
Luis Muniz
07/10/2020, 5:27 PMyes, that's what we found out while trying to create a reproducible example
that by moving them inline the code started working
b
bruno.corucho
07/10/2020, 5:27 PMUnfortunately, on the file where we're assigning our flow, we're importing all method and variables from the file where we have our tasks defined... rip emcapsulation
l
Luis Muniz
07/10/2020, 5:27 PMnow that you mention that they are tasks it makes total sense
that's kind of elegant actually
š 1
n
nicholas
07/10/2020, 5:29 PM
Yeah it sounds like it'll require a bit of reworking of the code, sorry about that @bruno.corucho - this is a more secure pattern though and prevents secrets from leaking into an unintended context
If you have any more questions about those, feel free to open up a new thread š
b
bruno.corucho
07/10/2020, 5:29 PMtrue, we did not bother about refactoring this code was we were more focused on the full flow executation than the code itself xD
š 1
thanks in advance, sorry for the possible extra time you took on this
n
nicholas
07/10/2020, 5:30 PM
No worries at all, happy to help: )
l
Luis Muniz
07/10/2020, 5:30 PMthanks guys you rock, stellar support
2 Views