Is there any way to separate secrets for different flows? The use case is we have some jobs that interact with our PostgreSQL DB, some are for pulling data so we would like to keep those with read-only credentials and others are ETL so they need read-write. We would like to avoid allowing users to inadvertently create flows that might end up deleting data. Is there a concept of namespace or some other mechanism for segmentation? So for example if Flow A runs and pulls secret

my_password

it'll be different a different password compared to if Flow B pulls the same secret?

Good morning @Jacob Blanco! I'll have to do some digging for you, but as far as I'm aware there isn't a way to namespace a secret in this way, besides configuring the secret to read a changing global variable specified in each local execution environment (reading directly from the environment variables or local

prefect.context.secrets

).

Oh hey @Kyle Moon-Wright thank you so much. Interesting idea on the execution environment.

You can also pass the environment variable to the agent itself with an

-e

flag, which can be labeled to apply to specific flows... but this seems like a pretty slippery slope to me.

It would be interesting to have this available by project. It's kinda the setup we have now, we have different AWS ECS services that get deployed and we pull parameters from AWS Parameter Store as environment variables when deploying the docker container in ECS. The name of the variables stays the same across the different services but the path is different. I guess we could replicate something like that now by prepending the project name to the secret name

"my_project/postgres_user"