Hello, I'm currently reevaluating prefect. You can...
# ask-communityn
Niklaus
12/08/2024, 12:41 AMHello, I'm currently reevaluating prefect. You can securely store secrets locally for local execution. Is that that correct? If it is, is there a process for backup/restore of a large amount of secrets? or some kind of import/export interface? Otherwise migrating to a new computer or passing secrets to a new team mate would quickly become a hassle if you have hundreds of secrets to manage.
n
Nate
12/08/2024, 1:39 AMhi @Niklaus
> some kind of import/export interface
you can think of prefect blocks like this, e.g. the
Secret Copy code
In [1]: from prefect.blocks.system import Secret
In [2]: Secret(value=dict(marvins_3rd_party_api_key='sk-asdfasdf'))
Out[2]: Secret(value=Secret('**********'))
In [3]: _.save("some-block-name")
Out[3]: UUID('9527e230-b043-461c-84df-3432f2f39309')
In [4]: Secret.load("some-block-name").get()["marvins_3rd_party_api_key"]
Out[4]: 'sk-asdfasdf'.savevaluen
Niklaus
12/08/2024, 2:14 PMHi @Nate,
thanks for your answer.
So you could probably write a script to export/import secrets if you have a list of their block names.
Do I understand correctly, that there is no native functionality to backup/restore all local secrets? E.g. using a CLI command?
(I could understand this design choice as it could also be security risk, but it makes migrating to a new computer a hassle)
n
Nate
12/08/2024, 8:13 PM> So you could probably write a script to export/import secrets if you have a list of their block names
yep!
> that there is no native functionality to backup/restore all local secrets
secrets are just a type of block, and all blocks are stored in the db. there is no special handling to migrate secret blocks between databases, so a script would likely be the easiest way to do it!
Nate
12/08/2024, 8:14 PM> but it makes migrating to a new computer a hassle
fwiw, the developer computer doesnt need to have anything to do with the blocks you have in your db
N developers can save and load blocks from 1 server, and the block values (if saved) are stored/encrypted on the server, not the developers computer (unless you're running the prefect server on the developers computer that is, which is not common for production type environments)
n
Niklaus
12/08/2024, 9:39 PMAh ok so the AI generated answer in the docs was wrong... how do you handle secrets for local dev environments then if you don't want to use the production secrets stored in server or cloud?
n
Nate
12/09/2024, 12:35 AMi wouldn’t say there’s one recommended way to manage dev secrets with prefect, because it depends on your use case and what’s ergonomic for that use case. Secret blocks are often used to store things like 3rd party api tokens.
with cloud, people will often have a workspace for dev or stg where they save some secrets there and then a separate prod workspace with their prod deployments and the secrets used for them.
a workspace is essentially like one server so if you’d be using open source it’d be same deal with separate servers instead of workspaces.
i’ll also mention that oftentimes people never save secrets and instead opt to have their client execution environment (eg ECS service running a prefect worker with an attached execution ARN) load secrets at runtime from a third party store like Vault for Secrets Manager
7 Views