Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] putting secrets into env vars doesn't work with AWS Secrets Manager #6304

Closed
2 tasks done
bra-fsn opened this issue Mar 4, 2025 · 1 comment · Fixed by #6316
Closed
2 tasks done

[BUG] putting secrets into env vars doesn't work with AWS Secrets Manager #6304

bra-fsn opened this issue Mar 4, 2025 · 1 comment · Fixed by #6316
Labels
bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed

Comments

@bra-fsn
Copy link
Contributor

bra-fsn commented Mar 4, 2025
edited
Loading

Describe the bug

I'm trying to use the new env_var argument for Secret, but the secret is not placed into any of the environment variables, no matter if I specify this argument or not.

Python pkg versions:

flyteidl==1.15.1
flytekit==1.15.0

Flyte version: 1.15.0

Expected behavior

I would expect that if I get a secret from AWS Secrets Manager, it is placed into an env var if mount_requirement=Secret.MountType.ENV_VAR is given and into the specific env var if env_var="TEST_ENV" or similar is given.

Additional context to reproduce

This doesn't work:

@task(
    secret_requests=[
         Secret(env_var="TEST_ENV", group=SECRET_GROUP, key=SECRET_KEY, mount_requirement=Secret.MountType.ENV_VAR)
    ]
)
def get_secret_env() -> str:
    import os
    return f"env {os.getenv('TEST_ENV')}"

TEST_ENV is missing. If I remove env_var="TEST_ENV", the secret is not placed into any of the env vars of that task either.

This in contrast works:

@task(
    secret_requests=[
        Secret(group=SECRET_GROUP, key=SECRET_KEY, mount_requirement=Secret.MountType.FILE)
    ]
)
def get_secret_file() -> str:
    ctx = current_context()
    token = ctx.secrets.get(SECRET_GROUP, SECRET_KEY)
    return f"file {token}"

I'm using

core:
    webhook:
      secretManagerType: "AWS"

in the helm values.yaml.

Screenshots

No response

Are you sure this issue hasn't been raised already?

  • Yes

Have you read the Code of Conduct?

  • Yes
@bra-fsn bra-fsn added bug Something isn't working untriaged This issues has not yet been looked at by the Maintainers labels Mar 4, 2025
@bra-fsn bra-fsn mentioned this issue Mar 4, 2025
Merged
@eapolinario eapolinario added good first issue Good for newcomers help wanted Extra attention is needed and removed untriaged This issues has not yet been looked at by the Maintainers labels Mar 6, 2025
@thomasjpfan thomasjpfan mentioned this issue Mar 7, 2025
Merged
@thomasjpfan
Copy link
Member

I opened #6316 to fix this.

Since AWS does only supports support the Secret.MountType.FILE mount type, the env_var will be the path to the mounted secret file. Concretely, if env_var=TEST_ENV, then `TEST_ENV=/etc/flyte/secrets/SECRET_GROUP/SECRET_KEY", where the file contains the secret.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers help wanted Extra attention is needed
Projects
Flyte Issues/PRs maintenance
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add aws secret mamager support to env_var thomasjpfan/flyte
3 participants
@eapolinario @bra-fsn @thomasjpfan