Prefect Docs

# Secrets

Secret Tasks are preferred

While this Secrets API is fully supported, using a Prefect Secret Task is typically preferred for better reuse of Secret values and visibility into the secrets used within Tasks / Flows.

A Secret is a serializable object used to represent a secret key & value.

The value of the Secret is not set upon initialization and instead is set either in prefect.context or on the server, with behavior dependent on the value of the use_local_secrets flag in your Prefect configuration file.

To set a Secret in Prefect Cloud, you can use prefect.Client.set_secret, or set it directly via GraphQL:

mutation {
  set_secret(input: { name: "KEY", value: "VALUE" }) {
    success
  }
}

To set a local Secret, either place the value in your user configuration file (located at ~/.prefect/config.toml):

[context.secrets]
MY_KEY = "MY_VALUE"

or directly in context:

import prefect

prefect.context.setdefault("secrets", {}) # to make sure context has a secrets attribute
prefect.context.secrets["MY_KEY"] = "MY_VALUE"

or specify the secret via environment variable:

export PREFECT__CONTEXT__SECRETS__MY_KEY="MY_VALUE"

Default secrets

Special default secret names can be used to authenticate to third-party systems in a installation-wide way. Read more about this in our Secrets concept documentation.

TIP

When setting secrets via .toml config files, you can use the TOML Keys docs for data structure specifications. Running prefect commands with invalid .toml config files will lead to tracebacks that contain references to: ..../toml/decoder.py.

# Secret

class

prefect.client.secrets.Secret

(name)[source]

A Secret is a serializable object used to represent a secret key & value.

Args:

  • name (str): The name of the secret
The value of the Secret is not set upon initialization and instead is set either in prefect.context or on the server, with behavior dependent on the value of the use_local_secrets flag in your Prefect configuration file.

If using local secrets, Secret.get() will attempt to call json.loads on the value pulled from context. For this reason it is recommended to store local secrets as JSON documents to avoid ambiguous behavior (e.g., "42" being parsed as 42).

methods:                                                                                                                                                       

prefect.client.secrets.Secret.exists

()[source]

Determine if the secret exists.

Returns:

  • bool: a boolean specifying whether the Secret is accessible or not

prefect.client.secrets.Secret.get

()[source]

Retrieve the secret value. If not found, returns None.

If using local secrets, Secret.get() will attempt to call json.loads on the value pulled from context. For this reason it is recommended to store local secrets as JSON documents to avoid ambiguous behavior.

Returns:

  • Any: the value of the secret; if not found, raises an error
Raises:
  • ValueError: if .get() is called within a Flow building context, or if use_local_secrets=True and your Secret doesn't exist
  • KeyError: if use_local_secrets=False and the Client fails to retrieve your secret
  • ClientError: if the client experiences an unexpected error communicating with the backend


This documentation was auto-generated from commit bd9182e
on July 31, 2024 at 18:02 UTC

agent