Use local secrets in prefect 2

Skam · January 10, 2023, 11:07am

Hello,

After moving from Prefect 1 to Prefect 2, one of the feature that I miss is the possibility to set local secrets via environment variables.

The only way I have found to manage secrets in a dev environment in prefect 2 is:

to create an entirely new workspace dedicated to dev
create secrets blocks.
Have everyone that needs these secrets to connect to the dev workspace.

However, it also means that I have to manually set every single new secret that my team may need to use; or let them manage existing secrets (which is not ideal security wise)

I was just wondering if there was a way to manage secrets locally with Prefect 2 that I may have missed ?

Thanks in advance

anna_geller · January 10, 2023, 1:45pm

You’re totally right, that’s still missing but it’s on the roadmap, you can track it here:

github.com/PrefectHQ/prefect

Add support for storing data that can be retrieved at runtime (e.g. static variables, key-value pairs, and more)

opened 01:45AM - 14 Sep 22 UTC

anna-geller

feature needs:design

### First check - [X] I added a descriptive title to this issue. - [X] I use…d the GitHub search to find a similar request and didn't find it. - [X] I searched the Prefect documentation for this feature. ### Prefect Version 2.x ### Describe the current behavior Currently, to store variables, users leverage JSON Blocks. However, blocks are most helpful for connecting stateful configuration with business logic and might be too "heavy" for simple use cases that require storing small pieces of data such as key-value pairs, lookup values or even entire JSON objects. ### Describe the proposed behavior - Add a lightweight interface allowing users to store such data - Make this performant enough even if this data needs to be frequently updated and retrieved ### Example Use Cases - Backfilling - Storing threshold values - Simple lookups (e.g. last timestamp scraped) ### Additional context Related discussion https://github.com/PrefectHQ/prefect/issues/6795

LittleBoots · March 31, 2023, 3:58pm

You can work around this and avoid creating another workspace by reading in a dev/prod prefix/suffix from a local file during deployment and set it as a parameter for your flow. Then you can append the same prefix/suffix to your secret blocks that need to swap based on your current environment.

deployment

from prefect.deployments import Deployment
from pythonscript import flowname
from os import getenv
from mods.secrets import secrets

def deploy():
    ## some module to load local environment vars
    secrets.load_env_vars()

    deployment = Deployment.build_from_flow(
        flow=flowname,
        name="common_flow_name",
### set flow parameter to 'dev' or 'prod' from local .env 
        parameters={"testProd_ind": getenv("Environment")},
        work_pool_name=getenv("work_pool"),
        work_queue_name=getenv("work_queue")
    )
    deployment.apply()

if __name__ == "__main__":
    deploy()

code in flow

from prefect import task, flow, get_run_logger
from prefect.blocks.system import Secret

@flow(name='common_flow_name')
def flowname(testProd_ind: str = 'dev'):
    
    secret_block_name = 'db-password-' + testProd_ind
    secret_block = Secret.load(secret_block_name )
    secret_block .get()