Does anyone have experience with using AWS Secrets Manager with flyte instead of the default k8 secrets? a little confused on how to set up the secret names.

If you're using AWS Secrets Manager, a common pattern is using the external secrets operator to expose those as K8s

Secret

resources inside the cluster. https://external-secrets.io/v0.8.1/

Ah, so we would need an external integration. https://docs.flyte.org/projects/cookbook/en/latest/auto/core/containerization/use_secrets.html#aws-secrets-manager the docs here didn't mention

Oh - I wasn't aware that Flyte had a native secrets manager integration; that could also work, but we use External Secrets in a number of other places in our system & that's how we're mounting secrets in our workflows today

Well, I'm not sure how to use the eative flyte AWS one haha so not sure how well supported it is. yea, I'm able to mount some of my secrets directly as env vars in my pod templates through terraform accessing the AWS Secrets without needing to use External Secrets but wanted to try getting the native secret manager working

what did you mean @Laura Lin?

that's one of the questions

did you have a stack trace we could look at?

lets say I have

secret_group = test_group
secret_key = test_username
secret_string = test_password

what is the expected input supposed to be to Secret Manger?

When using the AWS secret management plugin, secrets need to be specified by naming them in the format <SECRET_GROUP>:<SECRET_KEY>, where the secret string is a plain-text value, *not* key/value json.

can you just remove the :?

then where do I put the secret_group, secret_key args?

this is what it does… https://github.com/flyteorg/flytepropeller/blob/e4ca252977fe791946e70e79d645658025f3d2af/pkg/webhook/aws_secret_manager.go#L48

but the ARN can't have

:

in it right? bc AWS won't let me put a

:

in the name of the secret? if the output of

formatAWSSecretArn

has to match with the actual secret's ARN

oh no, you don’t need to put in the : on the aws side

so should the secret plaintext be

{secret_key:secret_value}

and the name of the secret be the secret_group?

oh no, the secret value can be anything.

When using the AWS secret management plugin, secrets need to be specified by naming them in the format <SECRET_GROUP>:<SECRET_KEY>

so where do I put secret_group and secret_key then? so that flyte can find it properly

so if i make a secret named

mysecretname

and I just put in it “hello world”

yep I'm following, and then how will I reference that in

@task(
    secret_requests=[
        Secret(key=XXX, group=XXX),
    ]
)

so then in the user code side, you can do something like

Secret(group="arn:aws:secretsmanager:us-east-2:1233456:secret", key="mysecretname-RJCgGN")

hmm... that probably won't work for me then. was hoping that it'll be more generic than that. but appreciate the clarification. That would be a good example to throw on the secrets doc haha.

yeah… we’re working on ways to improve the experience.

I think in my case, I need to deploy the same workflows in diff deployments so they'll reference diff secrets values but ideally be under the same name.

oh you can do that… you can put in a json document i’m pretty sure. let me make an end to end working example

but the group name and key will be different in diff deployments? e.g region and account id will be diff and the hash

what do you mean by deployment?

e.g. if I have separate deployments in diff AWS accounts

oh then you’ll have different secrets entirely so yes