Channels
pacc-may-31-2023
prefect-ai
pacc-clearcover-june-12-2023
marvin-in-the-wild
data-ecosystem
geo-israel
pacc-june-14-2023
geo-japan
pacc-london-2023
prefect-cloud
ppcc-may-16-2023
prefect-azure
prefect-docker
prefect-recipes
gratitude
geo-nyc
geo-bay-area
geo-boston
geo-london
geo-dc
geo-chicago
geo-berlin
geo-texas
geo-seattle
geo-colorado
prefect-community
data-tricks-and-tips
prefect-aws
prefect-gcp
introductions
find-a-prefect-job
prefect-dbt
random
events
ask-marvin
show-us-what-you-got
prefect-getting-started
prefect-integrations
prefect-contributors
best-practices-coordination-plane
announcements
prefect-server
prefect-ui
prefect-kubernetes
Title
d
Daniel Nilsen
04/19/2022, 10:24 AMis there a way to hide parameters? Let's say a flow requires a secret to work, and that secret is given as a param. Can I hide that from the logs and UI?
a
Anna Geller
04/19/2022, 10:35 AMDon't pass secrets as parameters 😄
There are several mechanisms for storing secrets:
• using Prefect secrets
• using external secrets manager
• leveraging environment variables
All of the above are better than using Secrets in parameters.
And to answer your question directly: there is no way of hiding that because there is no need for it - parameter values are just default configuration that can be optionally overridden at runtime. Here is a deep dive
d
Daniel Nilsen
04/19/2022, 10:37 AMthe secrets are dynamic and changes based on the flow run 🤔
a
Anna Geller
04/19/2022, 10:37 AMif you have some sensitive value but not a secret, perhaps the KV Store is an option worth considering?
are you dynamically changing say DB password? I can't think of a single use case when secrets would change dynamically with each flow run - can you explain your use case more?
especially then you should consider a secrets manager to update such frequently rotating secrets
d
Daniel Nilsen
04/19/2022, 10:44 AMare you dynamically changing say DB passwordlets say I did this. how would I hide the password from the logs?
a
Anna Geller
04/19/2022, 10:47 AMfor log specifically, you could add a log filter - here is an example I got from Kevin:
from prefect import task, Flow, Parameter
import time
import logging
import prefect
# Creating a filter
class SecureFilter(logging.Filter):
def filter(self, rec):
if 'secs' in rec.msg:
return 0
return 1
@task
def abc(x):
time.sleep(x)
return x
def get_logger():
logger = logging.getLogger("prefect.TaskRunner")
logger.addFilter(SecureFilter())
return logger
with Flow("timer flow") as flow:
logger = get_logger()
secs= Parameter("secs", 1)
abc.map([secs]*5)
flow.run()d
Daniel Nilsen
04/19/2022, 10:48 AMah, nice! Then it would be hidden from the UI as well?
a
Anna Geller
04/19/2022, 11:09 AMlog filters filter out logs so that those are not collected and not sent to Prefect Cloud backend
k
Kevin Kho
04/19/2022, 1:57 PMYou can dynamically change the Secret name you are passing right?
@task
def get_secret_name(env):
return env+"password"
with Flow(...) as flow:
env = Parameter("env", default="staging")
secret_name = get_secret_name(env)
pw = PrefectSecret()(secret_name)