https://prefect.io logo
#prefect-community
Title
# prefect-community
m

Mars

05/02/2022, 3:16 PM
Hi! What’s the correct way to set the
PREFECT__CONTEXT__SECRETS__GITHUB_ACCESS_TOKEN
variable in the k8s manifest created by
prefect agent kubernetes install
? Do I have to use the
--env
switch or can I provide the value by editing the generated deployment container’s
env:
list directly?
k

Kevin Kho

05/02/2022, 3:21 PM
I believe both will work. You can find more info here also to compare
m

Mars

05/02/2022, 3:32 PM
I’m following the Orchestrating ELT on Kubernetes with Prefect, dbt & Snowflake article. The k8s object that
kubernetes install
generates is a Deployment. There is no mention of a Job template. Is there a step I’m missing from the article where the GitHub token is provided?
a

Anna Geller

05/02/2022, 3:34 PM
this post was built for Prefect Cloud, so you need to adjust it to make it work with Prefect Server there is no Secrets backend on Server, that's why you need to set local secrets. When people use Kubernetes, they usually deploy Server with a helm chart and what Kevin shared, shows how you can set local secrets in various Server deployments incl. Helm chart
m

Mars

05/02/2022, 3:35 PM
I’m using cloud
a

Anna Geller

05/02/2022, 3:35 PM
Awesome! So you don't need to use PREFECT__CONTEXT__SECRETS__GITHUB_ACCESS_TOKEN. You can add Secrets via Prefect Cloud UI
k

Kevin Kho

05/02/2022, 3:36 PM
Oh yeah my Anna is right, just pull it from Cloud directly
m

Mars

05/02/2022, 3:36 PM
alright, what about secrets that I want to stay on the agent, in our k8s environment?
a

Anna Geller

05/02/2022, 3:37 PM
why would you want to do that? you can always set Kubernetes secrets and retrieve those in your flow via environment variables
k

Kevin Kho

05/02/2022, 3:37 PM
You can’t mix and match the
PrefectSecret
task to pull from both local and Cloud. It’s configured to pull from one source
a

Anna Geller

05/02/2022, 3:38 PM
but then you don't take advantage of the Cloud Secrets backend in Prefect Cloud that works across environments and which will likely save you some headache because e.g. you can retrieve the same Secret in a local run on your laptop and in a production run on a Kubernetes cluster
m

Mars

05/02/2022, 4:11 PM
I take it that Cloud Secrets are part of the Starter plan, and are not on the Free plan? I ask because my dashboard lefthand menu does not have all the entries I see in the Secrets docs 🙂
a

Anna Geller

05/02/2022, 4:33 PM
Secrets are available on all Cloud plans
perhaps you are doing it in Cloud 2.0? 🙂 Can you share the URL and some screenshots?
m

Mars

05/02/2022, 4:42 PM
ah, my fault. I do have the option, it just isn’t where I expected it to be in the UI. I’ve been ignoring the Team menu because everything in the UI makes me think I’m on a single-user plan, or that “Teams is an enterprise feature”.
👍 1
a

Anna Geller

05/02/2022, 4:49 PM
Gotcha. Nice we figured that out 🙌
m

Mars

05/02/2022, 4:59 PM
I think trying out the Prefect Server UI first confused things too. There are no Teams on Server so you learn to ignore the whole Team concept. When you move from Server to Cloud there is no “Cloud” menu that says there is a bunch of new functionality you should explore.
upvote 2
a

Anna Geller

05/02/2022, 5:02 PM
that's an interesting point, and one that will get easier as Cloud 2.0 builds on the OSS Orion UI in a (hopefully) less confusing way.
m

Mateo Merlo

05/08/2022, 1:02 PM
@Mars Would you mind to share how did you do to use secrets and pass this value to kubernetes agent?
I'm struggling to solve this because I need to set GOOGLE_APPLICATION_CREDENTIALS to allow agent get flows from Google Cloud Storage
I've tried using kubernetes secrets and load them as env variables or mounting a volume with this secrets but nothing seems to work
a

Anna Geller

05/08/2022, 2:04 PM
did you try using the Prefect option with storing it as Prefect Secret in the UI?
m

Mateo Merlo

05/08/2022, 2:17 PM
I'm trying to do it with Github now
I created a token in github and saved in Prefect Cloud as GITHUB_ACCESS_TOKEN. My storage is:
Copy code
STORAGE = GitHub(
    repo="mateo2181/my-repo",
    path=f"flows/{FLOW_NAME}.py",
    access_token_secret="GITHUB_ACCESS_TOKEN"
)
And my kubernetes config:
Copy code
RUN_CONFIG = KubernetesRun(labels=[AGENT_LABEL])
Should I pass GITHUB_ACCESS_TOKEN to KubernetesRun as env? Or should I do it in the yaml file that I use to run Kubernetes?
a

Anna Geller

05/08/2022, 2:28 PM
I see - no need to set any Kubernetes secrets or env variables when using Prefect Secrets, setting the secret with a name GITHUB_ACCESS_TOKEN and value of your token should be enough
what error do you get?
m

Mateo Merlo

05/08/2022, 2:34 PM
a

Anna Geller

05/08/2022, 2:35 PM
adding this env variable should fix it:
Copy code
export PREFECT__CLOUD__USE_LOCAL_SECRETS=false
m

Mateo Merlo

05/08/2022, 2:39 PM
That should be in Kubernetes agent?
I got same error
this env var PREFECT__BACKEND should be always sever? I'm using Prefect Cloud
a

Anna Geller

05/08/2022, 2:48 PM
nope, you can remove this variable entirely if you are on Cloud - Cloud is the default
m

Mateo Merlo

05/08/2022, 2:58 PM
Works now! I think the error was in line PREFECT__BACKEND. If I want to read files from GCS, I would need to set up a json credentials file, which is the recommended way to do that? using Secrets? Put the json content inside the Secret variable would work?
k

Kevin Kho

05/08/2022, 4:28 PM
Yes that sounds right if you are using the Prefect tasks it will use the Secret to load. It will all back to json credentials on the execution environment though if the Secret is not there so you can use either
m

Mateo Merlo

05/09/2022, 7:02 AM
Thanks @Kevin Kho @Anna Geller!!
👍 1
6 Views