Hi! What’s the correct way to set the `PREFECT__C...
# prefect-communitym
Mars
05/02/2022, 3:16 PMHi! What’s the correct way to set the
PREFECT__CONTEXT__SECRETS__GITHUB_ACCESS_TOKENprefect agent kubernetes install--envenv:k
Kevin Kho
05/02/2022, 3:21 PM
I believe both will work. You can find more info here also to compare
m
Mars
05/02/2022, 3:32 PMI’m following the Orchestrating ELT on Kubernetes with Prefect, dbt & Snowflake article. The k8s object that
kubernetes installa
Anna Geller
05/02/2022, 3:34 PM
this post was built for Prefect Cloud, so you need to adjust it to make it work with Prefect Server
there is no Secrets backend on Server, that's why you need to set local secrets. When people use Kubernetes, they usually deploy Server with a helm chart and what Kevin shared, shows how you can set local secrets in various Server deployments incl. Helm chart
m
Mars
05/02/2022, 3:35 PMI’m using cloud
a
Anna Geller
05/02/2022, 3:35 PM
Awesome! So you don't need to use PREFECT__CONTEXT__SECRETS__GITHUB_ACCESS_TOKEN. You can add Secrets via Prefect Cloud UI
k
Kevin Kho
05/02/2022, 3:36 PM
Oh yeah my Anna is right, just pull it from Cloud directly
m
Mars
05/02/2022, 3:36 PMalright, what about secrets that I want to stay on the agent, in our k8s environment?
a
Anna Geller
05/02/2022, 3:37 PM
why would you want to do that?
you can always set Kubernetes secrets and retrieve those in your flow via environment variables
k
Kevin Kho
05/02/2022, 3:37 PM
You can’t mix and match the
PrefectSecreta
Anna Geller
05/02/2022, 3:38 PM
but then you don't take advantage of the Cloud Secrets backend in Prefect Cloud that works across environments and which will likely save you some headache because e.g. you can retrieve the same Secret in a local run on your laptop and in a production run on a Kubernetes cluster
m
Mars
05/02/2022, 4:11 PMI take it that Cloud Secrets are part of the Starter plan, and are not on the Free plan? I ask because my dashboard lefthand menu does not have all the entries I see in the Secrets docs 🙂
a
Anna Geller
05/02/2022, 4:33 PM
Secrets are available on all Cloud plans
Anna Geller
05/02/2022, 4:34 PM
perhaps you are doing it in Cloud 2.0? 🙂 Can you share the URL and some screenshots?
Anna Geller
05/02/2022, 4:34 PM
m
Mars
05/02/2022, 4:42 PMah, my fault. I do have the option, it just isn’t where I expected it to be in the UI. I’ve been ignoring the Team menu because everything in the UI makes me think I’m on a single-user plan, or that “Teams is an enterprise feature”.
👍 1
Mars
05/02/2022, 4:43 PMa
Anna Geller
05/02/2022, 4:49 PM
Gotcha. Nice we figured that out 🙌
m
Mars
05/02/2022, 4:59 PMI think trying out the Prefect Server UI first confused things too. There are no Teams on Server so you learn to ignore the whole Team concept. When you move from Server to Cloud there is no “Cloud” menu that says there is a bunch of new functionality you should explore.
upvote 2
a
Anna Geller
05/02/2022, 5:02 PM
that's an interesting point, and one that will get easier as Cloud 2.0 builds on the OSS Orion UI in a (hopefully) less confusing way.
m
Mateo Merlo
05/08/2022, 1:02 PM@Mars Would you mind to share how did you do to use secrets and pass this value to kubernetes agent?
Mateo Merlo
05/08/2022, 1:04 PMI'm struggling to solve this because I need to set GOOGLE_APPLICATION_CREDENTIALS to allow agent get flows from Google Cloud Storage
Mateo Merlo
05/08/2022, 1:05 PMI've tried using kubernetes secrets and load them as env variables or mounting a volume with this secrets but nothing seems to work
a
Anna Geller
05/08/2022, 2:04 PM
did you try using the Prefect option with storing it as Prefect Secret in the UI?
m
Mateo Merlo
05/08/2022, 2:17 PMI'm trying to do it with Github now
Mateo Merlo
05/08/2022, 2:21 PMI created a token in github and saved in Prefect Cloud as GITHUB_ACCESS_TOKEN.
My storage is:
Copy code
STORAGE = GitHub(
repo="mateo2181/my-repo",
path=f"flows/{FLOW_NAME}.py",
access_token_secret="GITHUB_ACCESS_TOKEN"
) Copy code
RUN_CONFIG = KubernetesRun(labels=[AGENT_LABEL])a
Anna Geller
05/08/2022, 2:28 PM
I see - no need to set any Kubernetes secrets or env variables when using Prefect Secrets, setting the secret with a name GITHUB_ACCESS_TOKEN and value of your token should be enough
Anna Geller
05/08/2022, 2:28 PM
what error do you get?
m
Mateo Merlo
05/08/2022, 2:34 PMa
Anna Geller
05/08/2022, 2:35 PM
adding this env variable should fix it:
Copy code
export PREFECT__CLOUD__USE_LOCAL_SECRETS=falsem
Mateo Merlo
05/08/2022, 2:39 PMThat should be in Kubernetes agent?
Mateo Merlo
05/08/2022, 2:47 PMI got same error
Mateo Merlo
05/08/2022, 2:48 PMthis env var PREFECT__BACKEND should be always sever? I'm using Prefect Cloud
a
Anna Geller
05/08/2022, 2:48 PM
nope, you can remove this variable entirely if you are on Cloud - Cloud is the default
m
Mateo Merlo
05/08/2022, 2:58 PMWorks now! I think the error was in line PREFECT__BACKEND.
If I want to read files from GCS, I would need to set up a json credentials file, which is the recommended way to do that? using Secrets? Put the json content inside the Secret variable would work?
k
Kevin Kho
05/08/2022, 4:28 PM
Yes that sounds right if you are using the Prefect tasks it will use the Secret to load. It will all back to json credentials on the execution environment though if the Secret is not there so you can use either
m
Mateo Merlo
05/09/2022, 7:02 AMThanks @Kevin Kho @Anna Geller!!
👍 1
6 Views