How to use PrefectSecret with (Azure) Task Library and what are the differences between secrets in a module vs. Flow scope?

ahuang11 · February 23, 2022, 11:55pm

with Flow("example") as flow:
    my_secret = PrefectSecret("MYSECRET")
    res = my_task(credentials=my_secret)

I expected this to work:

from prefect import Flow
from prefect.tasks.secrets import PrefectSecret
from prefect.tasks.azure.blobstorage import BlobStorageDownload

secret = PrefectSecret("azure")

task = BlobStorageDownload(
        azure_credentials_secret=secret,
        container="prefect"
)
task.run(blob_name="prefect.txt")

Resulting in this error:
ValueError: Local Secret "<Task: azure>" was not found.

But actually, I needed to get rid of PrefectSecret

from prefect import Flow
from prefect.tasks.secrets import PrefectSecret
from prefect.tasks.azure.blobstorage import BlobStorageDownload

secret = "azure"

task = BlobStorageDownload(
        azure_credentials_secret=secret,
        container="prefect"
)
task.run(blob_name="prefect.txt")

Should PrefectSecret work with azure_credentials_secret?

anna_geller · February 24, 2022, 10:32am

Good question. First, you can use this setting to ensure you are using Secrets from Cloud backend rather than local secrets:

export PREFECT__CLOUD__USE_LOCAL_SECRETS=false

Then, calling PrefectSecret doesn’t work on the module level, only within the Flow block since this task retrieves secrets at runtime, and module scope gets interpreted at build time (e.g. when you register or visualize your flow). So you would usually need to do that instead:

from prefect import Flow
from prefect.tasks.secrets import PrefectSecret
from prefect.tasks.azure.blobstorage import BlobStorageDownload


azure_task = BlobStorageDownload(container="prefect")

with Flow("example") as flow:
    my_secret = PrefectSecret("azure")
    res = azure_task(azure_credentials_secret=my_secret)

But when you look at the docs of the BlobStorageDownload task Azure Tasks | Prefect Docs you’ll see that it expects the name of the Secret, rather than the secret itself. That’s why you don’t need to retrieve this Secret yourself, as this task does it for you.

from prefect import Flow
from prefect.tasks.azure.blobstorage import BlobStorageDownload


azure_task = BlobStorageDownload(container="prefect", 
                                azure_credentials_secret="secret")

with Flow("example") as flow:
    res = azure_task()

Lastly, if you want to use a Secret when running a standalone task without the Flow context, you can use Secret from the client with .get():

from prefect.client.secrets import Secret

secret = Secret("azure").get()

some_task = SomeTaskThatNeedsSecretValueRatherThanSecretName(
    secret_value=secret,
)
some_task.run()

ahuang11 · February 24, 2022, 5:01pm

Thanks for the detailed answer!

Topic		Replies	Views
What are best practices for using Prefect secrets within Prefect tasks? Archive prefect-1-0 , secrets , script-storage , pickle-storage , security	0	1512	March 9, 2022
When registering my flow, I get an error: ValueError: Local Secret "AZURE_STORAGE_CONNECTION_STRING" was not found Archive prefect-1-0 , cloud-1-0 , storage , deployment , defaults , secrets , environment-variable , flow-registration , azure	0	851	January 26, 2022
Obscure Secret in Prefect UI with Pydantic Archive prefect-2-0 , pydantic , secrets	1	1359	June 22, 2023
Prefect Collection for interacting with Azure in your flows: prefect-azure Archive prefect-2-0 , azure , azure-blob-storage , prefect-collections	0	646	July 4, 2022
Parameterizing Secrets in Flows and Tasks Archive prefect-1-0 , parameters , secrets	0	608	April 21, 2022

How to use PrefectSecret with (Azure) Task Library and what are the differences between secrets in a module vs. Flow scope?

Related Topics