Flyte enables production-grade orchestration for machine learning workflows and data processing created to accelerate local workflows to production.

Flyte

<https://github.com/flyteorg/flyte/issues/3053|#3053 [Core feature] control ENV var name for injected secrets>
Issue created by <https://github.com/flixr|flixr>
*Motivation: Why do you think this is important?*

Split out from <https://github.com/flyteorg/flytekit/pull/1307|flyteorg/flytekit#1307>:

I need to inject k8s secrets as env vars into my raw ContainerTasks (and actually for PythonTasks as well).  
As an example I want to inject `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.  
Essentially I want to do what k8s already nicely provides:  
<https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-a-container-environment-variable-with-data-from-a-single-secret|https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-a-container-environment-variable-with-data-from-a-single-secret>

Using flyte secrets there is no way to control the ENV var name, something like e.g.  
`Secret(group="minio-write-creds", key="AWS_ACCESS_KEY_ID", mount_requirement=Secret.MountType.ENV_VAR)`  
will inject the secret as `_FSEC_MINIO_WRITE_CREDS_AWS_ACCESS_KEY_ID` and this is <https://github.com/flyteorg/flytepropeller/blob/3405a043ebbd4d3e5d7b051e696d287a90eed291/pkg/webhook/utils.go#L27|currently hardcoded in flytepropeller>.  
This seems sensible iff you need to get the secret in Python code via flytekit context/secret manager, but not for raw containers.  
Even for a Python task it would often be easier to just control the env var name (as e.g. in the case of the S3 credentials that boto3 would automatically pick up then).

*Goal: What should the final outcome look like, ideally?*

Maybe something like

```
Secret(group="minio-write-creds", key="access_key", mount_requirement=Secret.MountType.ENV_VAR, name="AWS_ACCESS_KEY_ID")
```

To decouple group/key name from env var name, just like k8s itself.  
If name is not given it could still work by naming as prefix + group + key.

*Describe alternatives you've considered*

Working around this by wrapping my container task in a shell script that pull out the secret from the env var (or file) and populate the correct env var for the actual process.  
But this is super cumbersome and actually requires the wrapper script to know about the group name (so k8s secret name), which makes it super awkward to change credentials by just using a different secret.

Same goes for secrets injected as file...

*Propose: Link/Inline OR Additional context*

_No response_

*Are you sure this issue hasn't been raised already?*

☑︎ Yes

*Have you read the Code of Conduct?*

☑︎ Yes
<https://github.com/flyteorg/flyte|flyteorg/flyte>

<https://github.com/flyteorg/flyte/issues/3053|#3053 [Core feature] control ENV var name for injected secrets>
Issue closed as completed by <https://github.com/flixr|flixr>
<https://github.com/flyteorg/flyte|flyteorg/flyte>