Hi Prefect community, I am facing issue while registering flows in prefect and getting below error, Can anyone please help me with this.:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::xxx:assumed-role/code_deployments-role/iddoc- is not authorized to perform: secretsmanager:GetSecretValue on resource: 4i-adl-config because no identity-based policy allows the secretsmanager:GetSecretValue action

Hey Sam! Could you provide a code example or larger traceback for where this error comes from? I'm wondering if it's being caused by a push to S3, Docker, etc.

Hi Chris, please find the larger traceback of this error:

Logged in to Prefect Cloud tenant 'Default' (default)
Collecting flows...
Error loading '4i_ffs_vtapm_prvdr_rsp_process/4i_ffs_vtapm_prvdr_rsp_process.py':
  Traceback (most recent call last):
    File "/home/ec2-user/.local/lib/python3.7/site-packages/prefect/cli/build_register.py", line 134, in load_flows_from_script
    namespace = runpy.run_path(abs_path, run_name="<flow>")
    File "/usr/lib64/python3.7/runpy.py", line 263, in run_path
    pkg_name=pkg_name, script_name=fname)
    File "/usr/lib64/python3.7/runpy.py", line 96, in _run_module_code
    mod_name, mod_spec, pkg_name, script_name)
    File "/usr/lib64/python3.7/runpy.py", line 85, in _run_code
    exec(code, run_globals)
    File "/tmp/4i-prefect-flows/src/flows/4i_ffs_vtapm_prvdr_rsp_process/4i_ffs_vtapm_prvdr_rsp_process.py", line 62, in <module>
    adl_secrets = adl_config.envConfig('4i-adl-config')
    File "/tmp/4i-prefect-flows/src/flows/4i_ffs_vtapm_prvdr_rsp_process/4i_ffs_vtapm_prvdr_rsp_process.py", line 37, in envConfig
    get_4i_adl_secret_value = client.get_secret_value(SecretId=secret_name)
    File "/home/ec2-user/.local/lib/python3.7/site-packages/botocore/client.py", line 508, in _api_call
    return self._make_api_call(operation_name, kwargs)
    File "/home/ec2-user/.local/lib/python3.7/site-packages/botocore/client.py", line 915, in _make_api_call
    raise error_class(parsed_response, operation_name)
  botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::xxx:assumed-role/code_deployments-role/iddoc-test is not authorized to perform: secretsmanager:GetSecretValue on resource: 4i-adl-config because no identity-based policy allows the secretsmanager:GetSecretValue action

I can’t tell what you are trying to do from the traceback. Do you have a code sample?

I am getting this error while registering prefect, below is the sample example:

Yes but these aren’t Prefect logs so I need to see if you are using S3Storage or if you’re doing something else with boto3 outside of Prefect

1) Python script in flows directory, need to register using python prefect tool ( we have steps in this repo - https://github.cms.gov/iddoc/prefect-examples ) 2) Anything in sync directory, need to sync to s3 bucket ( 4i-prefect-flows-env ) 4i-prefect-flows-test/scripts/

I can’t sign in the thing. The error says it comes from this line:

get_4i_adl_secret_value = client.get_secret_value(SecretId=secret_name)

which is not a Prefect line. Do you have this line in your code?

no we dont have this line in our code.

The traceback shows your file though I think:

flows/src/flows/4i_ffs_vtapm_prvdr_rsp_process/4i_ffs_vtapm_prvdr_rsp_process.py", line 37, in envConfig
    get_4i_adl_secret_value = client.get_secret_value(SecretId=secret_name)

or are you importing in this line from somewhere?

yes we are exporting secret keys

This is the line throwing an error. Looks like you don’t have permissions to?