Hi! What’s the correct way to set the

PREFECT__CONTEXT__SECRETS__GITHUB_ACCESS_TOKEN

variable in the k8s manifest created by

prefect agent kubernetes install

? Do I have to use the

--env

switch or can I provide the value by editing the generated deployment container’s

env:

list directly?

I believe both will work. You can find more info here also to compare

I’m following the Orchestrating ELT on Kubernetes with Prefect, dbt & Snowflake article. The k8s object that

kubernetes install

generates is a Deployment. There is no mention of a Job template. Is there a step I’m missing from the article where the GitHub token is provided?

this post was built for Prefect Cloud, so you need to adjust it to make it work with Prefect Server there is no Secrets backend on Server, that's why you need to set local secrets. When people use Kubernetes, they usually deploy Server with a helm chart and what Kevin shared, shows how you can set local secrets in various Server deployments incl. Helm chart

I’m using cloud

Awesome! So you don't need to use PREFECT__CONTEXT__SECRETS__GITHUB_ACCESS_TOKEN. You can add Secrets via Prefect Cloud UI

Oh yeah my Anna is right, just pull it from Cloud directly

alright, what about secrets that I want to stay on the agent, in our k8s environment?

why would you want to do that? you can always set Kubernetes secrets and retrieve those in your flow via environment variables

You can’t mix and match the

PrefectSecret

task to pull from both local and Cloud. It’s configured to pull from one source

but then you don't take advantage of the Cloud Secrets backend in Prefect Cloud that works across environments and which will likely save you some headache because e.g. you can retrieve the same Secret in a local run on your laptop and in a production run on a Kubernetes cluster

I take it that Cloud Secrets are part of the Starter plan, and are not on the Free plan? I ask because my dashboard lefthand menu does not have all the entries I see in the Secrets docs 🙂

Secrets are available on all Cloud plans

ah, my fault. I do have the option, it just isn’t where I expected it to be in the UI. I’ve been ignoring the Team menu because everything in the UI makes me think I’m on a single-user plan, or that “Teams is an enterprise feature”.

Gotcha. Nice we figured that out 🙌

I think trying out the Prefect Server UI first confused things too. There are no Teams on Server so you learn to ignore the whole Team concept. When you move from Server to Cloud there is no “Cloud” menu that says there is a bunch of new functionality you should explore.

that's an interesting point, and one that will get easier as Cloud 2.0 builds on the OSS Orion UI in a (hopefully) less confusing way.

@Mars Would you mind to share how did you do to use secrets and pass this value to kubernetes agent?

did you try using the Prefect option with storing it as Prefect Secret in the UI?

I'm trying to do it with Github now

I see - no need to set any Kubernetes secrets or env variables when using Prefect Secrets, setting the secret with a name GITHUB_ACCESS_TOKEN and value of your token should be enough

adding this env variable should fix it:

export PREFECT__CLOUD__USE_LOCAL_SECRETS=false

That should be in Kubernetes agent?

nope, you can remove this variable entirely if you are on Cloud - Cloud is the default

Works now! I think the error was in line PREFECT__BACKEND. If I want to read files from GCS, I would need to set up a json credentials file, which is the recommended way to do that? using Secrets? Put the json content inside the Secret variable would work?

Yes that sounds right if you are using the Prefect tasks it will use the Secret to load. It will all back to json credentials on the execution environment though if the Secret is not there so you can use either

Thanks @Kevin Kho @Anna Geller!!