Is there any way to separate secrets for different...
# prefect-community
Is there any way to separate secrets for different flows? The use case is we have some jobs that interact with our PostgreSQL DB, some are for pulling data so we would like to keep those with read-only credentials and others are ETL so they need read-write. We would like to avoid allowing users to inadvertently create flows that might end up deleting data. Is there a concept of namespace or some other mechanism for segmentation? So for example if Flow A runs and pulls secret
it'll be different a different password compared to if Flow B pulls the same secret?
Good morning @Jacob Blanco! I'll have to do some digging for you, but as far as I'm aware there isn't a way to namespace a secret in this way, besides configuring the secret to read a changing global variable specified in each local execution environment (reading directly from the environment variables or local
Let me try to get some more insight.
Oh hey @Kyle Moon-Wright thank you so much. Interesting idea on the execution environment.
You can also pass the environment variable to the agent itself with an
flag, which can be labeled to apply to specific flows... but this seems like a pretty slippery slope to me.
Out of curiosity: how would you ideally want to namespace the secret? By flow name, project, label, or maybe something else? 🤔
It would be interesting to have this available by project. It's kinda the setup we have now, we have different AWS ECS services that get deployed and we pull parameters from AWS Parameter Store as environment variables when deploying the docker container in ECS. The name of the variables stays the same across the different services but the path is different. I guess we could replicate something like that now by prepending the project name to the secret name