Anybody have experience with a different AWS Access Key ID than what’s in their Secrets showing up in the boto3 session?

boto3.Session().get_credentials().access_key

vs.

PrefectSecret("AWS_CREDENTIALS")["ACCESS_KEY"]

Pretty sure I followed these instructions: https://docs.prefect.io/core/concepts/secrets.html#default-secrets. Both values are keys, but the one in the boto3 session is not one that I recognize.

Hi! boto3 itself doesn’t know how to access the Prefect secrets so if you use it directly like that it falls back on its more low-level configuration hierarchy to find which credentials you want from get_credentials() so I imagine the ones you are seeing from that must be in one of those levels (which vary from environment variables up to special AWS role/iam magic if this is on compute hosted on AWS, the list is here: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html#configuring-credentials) The Prefect secret is only used by Prefect as a default whenever something at the Prefect level has to talk to AWS. Basically it comes down to this line; anytime Prefect tries to talk to AWS it goes through this utility, which will try and grab your

AWS_CREDENTIALS

secret for you if it didn’t get the creds some other way (https://github.com/PrefectHQ/prefect/blob/master/src/prefect/utilities/aws.py#L36) If you want to instantiate a boto client in custom task code that takes advantage of prefect secrets, you can either run the PrefectSecret task first in the flow graph and pass those credentials in to your custom task as arguments, or you can have any boto3 client you instantiate directly do something similar to that utility function I linked above (or use it directly!). The latter is how the prefect task library gets away with it for example: https://github.com/PrefectHQ/prefect/blob/master/src/prefect/tasks/aws/lambda_function.py#L125