Hey all, I have been using local secrets in my production flows for a while. I want to use some other key-value store for my secrets, as it is the secure and intended way. I haven’t found much in the docs, how would I be telling Prefect Core where and how it should access this new

Secrets

store, say AWS Secrets Manager

There has been an issue proposed for a more adaptable Secrets API https://github.com/PrefectHQ/prefect/issues/1346 which I don’t think would be difficult to implement. The Prefect secret manager definitely isn’t intended to be the only option. cc @Chris White we should consider this again

Subclassing

Secret

indeed seems like the most flexible solution. It could even work right now, without adding anything else than the subclass. I’d rather wait for official support though. Can you estimate a rough ETA, pretty please.

I believe the next release of Prefect is being cut today so it could probably be fit into the release after which would come in a couple weeks. In the mean time your best bet would be to call your AWS secret store in its own function with whichever implementation you would use in the overridden Secret class to retrieve the secrets.

why not just call boto directly?

Main concern is abstraction. Using the Secret API, I can switch easily between local secrets for development and remote secrets for production. Would also make a possible transition to Prefect Cloud easier.