-
Notifications
You must be signed in to change notification settings - Fork 910
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make credentials a resolver #3811
Comments
I like the idea in principle, but what would be a way for us to prevent hardcoding of credentials into the catalog directly? |
Not sure of what you mean : for me the default credentials provided by kedro would do the exact same things as it does now (map a string in the catalog to an entry in credentials.yml) so I don't think there is a problem here. A user who likes playing with kedro's limits could eventually write his own resolver and eventually takes raw inputs directly in the catalog, but I don't think it's kedro's responsibility to try to circumvent all weird things users can do (and funnily, they already can write a custom resolver and use it in the catalog - my proposal would simply enable to make their dangerous logic the default, but they are clearly doing it on purpose). Do you have an example of a situation this proposal would enable which is not already possible and that we want to avoid by all means? |
Hard agree. Our YAML-first approach to credentials is weird, given that there are many other methods that are arguably more prevalent, like environment variables, secrets vaults, JSON token files... Plus we have evidence that users struggle to understand the current approach #1646 (comment) |
I think this is really elegant, I think there is probably a way where this is non-breaking and just an extension too |
@Galileo-Galilei The way
and this:
Currently, the latter will not be taken by Kedro and it won't work, because we do the resolving after loading the config. This way we are preventing users from accidentally checking in secrets. If we go the resolver path (which I like personally), we need to make sure that my second example will error out and your example will only work. |
This is a totally valid concern, I did not think about this edge case. It seems it should be possible to check if the credentials subkey is interpolated with [ |
Originally posted by @MatthiasRoels in #1936 (comment) |
O also think a resolver based way of doing creds would be amazing, I had to hack something together to make things work for my SQLFrame experiement. |
Hi Everyone, As always, a lot of great thoughts & comments. 👍 If I may quickly had some poorly articulated concerns / suggestions that connects this issue to #2829: AWS Secrets bills on READ Our problem is compounded by the fact that, in the Looking very forward to reading your thoughts on this. |
The suggestion make sense. We agree this is something that is useful, at the moment we are doing some re-design for DataCatalog, we will start looking at this once we finish the refactoring. |
More evidence that our users are just using environment variables for credentials https://kedro.hall.community/support-lY6wDVhxGXNY/passing-credentials-to-a-node-in-kedro-DrfL3JQdGpPb (Related to #3979 cc @lordsoffallen) |
Credential management in Polars is changing 👀 see
lf = pl.scan_parquet(
"s3://...",
credential_provider=pl.CredentialProviderAWS(profile_name="..."),
) |
Moving this to Discussions to continue the conversation there. |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Description
Make "credentials" a
OmegaConf
resolver, so injecting credentials in the catalog would look like :Context
This may look like a pure technical refactoring, but actually I am expecting this to be an actual improvement for users, e.g. :
settings.py
Overall, this would likely be a general improvement with some overlaps with what is described here #1646 and has never been properly adressed, despite a bunch of discussions around this topic.
Possible Implementation
Move the logic from the catalog and the
_get_credentials
and_resolve_credentials
:kedro/kedro/io/data_catalog.py
Lines 35 to 58 in 7237dc7
kedro/kedro/io/data_catalog.py
Lines 61 to 83 in 7237dc7
to a resolver.
Possible Alternatives
Do nothing and keep the situation as is.
The text was updated successfully, but these errors were encountered: