https://flyte.org logo
#ask-the-community
Title
# ask-the-community
l

Laura Lin

04/17/2023, 8:34 PM
Does anyone have experience with using AWS Secrets Manager with flyte instead of the default k8 secrets? a little confused on how to set up the secret names.
r

Rahul Mehta

04/17/2023, 8:48 PM
If you're using AWS Secrets Manager, a common pattern is using the external secrets operator to expose those as K8s
Secret
resources inside the cluster. https://external-secrets.io/v0.8.1/
Also IMO this is a desirable pattern since your K8s workloads aren't aware of the cloud provider as an implementation detail
l

Laura Lin

04/17/2023, 8:50 PM
r

Rahul Mehta

04/17/2023, 8:50 PM
Oh - I wasn't aware that Flyte had a native secrets manager integration; that could also work, but we use External Secrets in a number of other places in our system & that's how we're mounting secrets in our workflows today
l

Laura Lin

04/17/2023, 8:51 PM
Well, I'm not sure how to use the eative flyte AWS one haha so not sure how well supported it is. yea, I'm able to mount some of my secrets directly as env vars in my pod templates through terraform accessing the AWS Secrets without needing to use External Secrets but wanted to try getting the native secret manager working
y

Yee

04/17/2023, 8:57 PM
what did you mean @Laura Lin?
the
:
?
l

Laura Lin

04/17/2023, 8:57 PM
that's one of the questions
y

Yee

04/17/2023, 8:59 PM
did you have a stack trace we could look at?
what do you have it set to currently?
l

Laura Lin

04/17/2023, 9:00 PM
lets say I have
Copy code
secret_group = test_group
secret_key = test_username
secret_string = test_password
what is the expected input supposed to be to Secret Manger?
When using the AWS secret management plugin, secrets need to be specified by naming them in the format <SECRET_GROUP>:<SECRET_KEY>, where the secret string is a plain-text value, *not* key/value json.
y

Yee

04/17/2023, 9:51 PM
can you just remove the :?
and make it
my_secret_name
?
l

Laura Lin

04/17/2023, 10:08 PM
then where do I put the secret_group, secret_key args?
so basically it doesn’t matter really, but when you concatenate the two together, you need to have the arn.
the downside of this is that your aws account number ends up in the group name.
this is the current structure at least - if you have ideas on ux improvements, please let us know
or just push a pr 🙂 - i know there were requests for domain specific secrets (which happens automatically with k8s secrets but not with the other secret providers)
l

Laura Lin

04/18/2023, 4:21 PM
but the ARN can't have
:
in it right? bc AWS won't let me put a
:
in the name of the secret? if the output of
formatAWSSecretArn
has to match with the actual secret's ARN
I'm not really blocked by this because I can just export my aws secrets as k8s secrets using terraform which then can get picked up natively by flyte
y

Yee

04/18/2023, 4:32 PM
oh no, you don’t need to put in the : on the aws side
that happens automatically. if you create the secret and then look at the arn
it’ll come with a bunch of `:`s
l

Laura Lin

04/18/2023, 4:36 PM
so should the secret plaintext be
{secret_key:secret_value}
and the name of the secret be the secret_group?
y

Yee

04/18/2023, 4:36 PM
oh no, the secret value can be anything.
l

Laura Lin

04/18/2023, 4:37 PM
Copy code
When using the AWS secret management plugin, secrets need to be specified by naming them in the format <SECRET_GROUP>:<SECRET_KEY>
so where do I put secret_group and secret_key then? so that flyte can find it properly
oooh, you're saying that it happens automatically. flyte will mount all the secrets that exist and generate a group name that is something like
account_id:secret_name in aws
and I will have to reference it by that
y

Yee

04/18/2023, 4:39 PM
so if i make a secret named
mysecretname
and I just put in it “hello world”
the arn will be something like
Copy code
arn:aws:secretsmanager:us-east-2:1233456:secret:mysecretname-RJCgGN
l

Laura Lin

04/18/2023, 4:41 PM
yep I'm following, and then how will I reference that in
Copy code
@task(
    secret_requests=[
        Secret(key=XXX, group=XXX),
    ]
)
y

Yee

04/18/2023, 4:42 PM
so then in the user code side, you can do something like
Copy code
Secret(group="arn:aws:secretsmanager:us-east-2:1233456:secret", key="mysecretname-RJCgGN")
l

Laura Lin

04/18/2023, 4:43 PM
hmm... that probably won't work for me then. was hoping that it'll be more generic than that. but appreciate the clarification. That would be a good example to throw on the secrets doc haha.
y

Yee

04/18/2023, 4:44 PM
yeah… we’re working on ways to improve the experience.
if you have suggestions for ux improvements?
l

Laura Lin

04/18/2023, 4:46 PM
I think in my case, I need to deploy the same workflows in diff deployments so they'll reference diff secrets values but ideally be under the same name.
y

Yee

04/18/2023, 5:27 PM
oh you can do that… you can put in a json document i’m pretty sure. let me make an end to end working example
l

Laura Lin

04/18/2023, 5:30 PM
but the group name and key will be different in diff deployments? e.g region and account id will be diff and the hash
y

Yee

04/18/2023, 5:31 PM
what do you mean by deployment?
i think that only changes when you rotate the secret.
l

Laura Lin

04/18/2023, 5:32 PM
e.g. if I have separate deployments in diff AWS accounts
y

Yee

04/18/2023, 5:33 PM
oh then you’ll have different secrets entirely so yes
78 Views