If you set up a storage with cloud connected, where are the secrets stored (e.g. AWS secret access key)? on the local machine or on cloud?

Prefect is based on a hybrid execution model so that all your code, data, and secrets remain in your infrastructure and can be managed entirely by you. Prefect Cloud doesn't need to have access to any of that. Does it answer your question?

If you are using Prefect cloud you could do it either way. You could set them in the Prefect Cloud UI and they would be stored on Prefect’s end in their cloud. Or you could set them locally via a config file or environment variables. If you are setting them locally. They need to be available during flow execution. This would vary based on the run config. If you are using a LocalRun, it would need to be on the machine with the agent installed. If you are using DockerRun, it would need to be available in the docker container that runs, etc. https://docs.prefect.io/orchestration/concepts/secrets.html

sorry forgot to mention my question is about orion

Gotcha, I’ll have to defer to the other smart people as I haven’t used Orion enough to help here 🙂

It would need to be as env vars for now as Prefect 2.0 doesn’t have secrets yet so you just need your execution environment authentication to pull from S3 for example