Skip to content

Fix pass api key#11

Closed
Jun Aishima (JunAishima) wants to merge 27 commits intoNSLS2:mainfrom
JunAishima:fix-pass-api-key
Closed

Fix pass api key#11
Jun Aishima (JunAishima) wants to merge 27 commits intoNSLS2:mainfrom
JunAishima:fix-pass-api-key

Conversation

@JunAishima
Copy link
Copy Markdown
Contributor

@JunAishima Jun Aishima (JunAishima) commented Apr 3, 2026
edited
Loading

I noticed yesterday that the Tiled API key which is passed around the functions is visible on Prefect Cloud when the workflow is run in production.

This fix will ensure the Tiled API key is only read from the environment file right where it is used so that it is not passed around.

The Tiled API key used in the end_of_run_workflow() function is currently only used when testing, either CI or local interactive testing. In these cases, Prefect Cloud will not store the parameters used to call the functions, so the API key will never get exposed.

Note that this PR also includes the dotenv change.

@JunAishima
update pixi.toml with explicit addition of python-dotenv
2dbe8fc 
 * already included in lock file, so no update necessary
@JunAishima
update code to use dotenv
52c46fc 
 * read TILED_API_KEY in from env.secrets
@JunAishima
add env.secrets file into container
1f6cb20
@JunAishima
build container, use update-dotenv code for deployment
95ad046
@JunAishima
update deployment version
ff41adb
@JunAishima
fix filename
1e0fd69
@JunAishima
update location of Tiled secret
706b6eb 
 * corresponding changes in prefect3_worker role
@JunAishima
remove logging (testing dotenv mechanism)
ed405f3
@JunAishima
LINT: remove unused logging, and thus its import
eea5a2f
@JunAishima
restructure api key handling
9b6ba0e 
 * include possibility of calling with API key value to
   better enable local testing of workflows
@JunAishima
fix Tiled API key handling for utils/test_extra_client
2feb28b
@JunAishima
pre-commit fixes
f59fc6f
@JunAishima
update Tiled secret location
84cef9e
@JunAishima
change from branch to main
29dc6a9 
 * publish-ghcr and the deploy file had the local branch
   name to use for testing. change those to main for prod
@JunAishima
replace from_profile with from_uri
447db34 
 * enable running on hosts without access to our filesystems, such
   as Github action-based CI
@JunAishima
add dry_run option
d0be97e
@JunAishima
update deployment version number
84b9161
@JunAishima
add option to call end_of_run_workflow with api_key
e32cd6e
@JunAishima
fix pre-commit issue, add import for logger
f328b26
@JunAishima
fix pre-commit issue
4ffc659
@JunAishima
make more similar to smi
4ee1bb5 
 * remove dry_run from reading functions
 * make get_run() function and use it where
   Tiled clients are required
 * remove redundant utils module
@JunAishima
fix pre-commit issues
b55f00d
@JunAishima
extract read_stream(), clean up params for read_all_streams()
2919d37
@JunAishima
use my fork/ghcr, publish/deploy branch for testing
08b04b2
@JunAishima
only get dotenv API key when getting the run from Tiled
a781031
@JunAishima
test fix-pass-api-key fix
b579996
@JunAishima
move function to get API key to data_validation
e7fe1c3 
 * no need to import it from end_of_run_workflow()
@JunAishima Jun Aishima (JunAishima) marked this pull request as draft April 3, 2026 17:49
@JunAishima Jun Aishima (JunAishima) mentioned this pull request Apr 8, 2026
Open
@JunAishima
Copy link
Copy Markdown
Contributor Author

Jun Aishima (JunAishima) commented Apr 8, 2026

closing as the key change is now incorporated in #7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AbbyGi Abby Giles (AbbyGi) Awaiting requested review from AbbyGi

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JunAishima