This page recommends using

configured

to use env variables for storing secrets: https://docs.dagster.io/guides/dagster/using-environment-variables-and-secrets. But the documentation of

configured

says not to use it for secrets because it will show secrets: https://docs.dagster.io/_apidocs/config#dagster.configured. is this a conflict, or am I missing something?

The API docs could definitely be more clearly written - what it's saying is that doing this:

.configured({"password": os.getenv("MY_PASSWORD_VALUE")}

could result in the value of MY_PASSWORD_VALUE being shown in the UI. The secrets docs are referring to indicating in a structured way that a field should be sourced from an env var like:

github_api.configured(
            {"password": {"env": "MY_PASSWORD_VALUE"}}
        )

The "env" key tells Dagster in a structured way that the value should be sourced from an env var

sorry, i'm still confused -so is it a recommended practice to put secrets in env vars, and connect to them with

configured

, or is that to be avoided? The Azure plugin, for example, has its examples using that pattern, but is it something to avoid? Or does it depend on use-cases, like if I've got authorized users of our dagster tenant who shouldn't have access to certain secrets?

Putting secrets in env vars and connecting them with configured (using that “env”: “name of env var” pattern so that dagster knows that that’s what you’re doing) is a recommended practice.

cool, thank you for clarifying!