Prefect cloud can see flow parameters (possible secret)

[GNSSYSTEMS-anla]

Bug summary

As suggested by Mihir Thatte, we were instructed to create an issue we see.

This short example shows that a flow parameter can be seen in the prefect webinterface. What can we do if parameters should be secret so they wont leave the on-prem system in case using prefect cloud? Is it possible to change configuration to never leak parameters?

import sys
from prefect import flow

@flow
def my_flow(max_limit: float):
    return None

my_flow(max_limit=sys.float_info.max)

Version info

Version:             3.1.12
API version:         0.8.4
Python version:      3.10.16
Git commit:          e299e5a7
Built:               Thu, Jan 9, 2025 10:09 AM
OS/Arch:             linux/x86_64
Profile:             local
Server type:         server
Pydantic version:    2.10.5
Integrations:
  prefect-dask:      0.3.2

Additional context

No response

[desertaxle]

Hey @GNSSYSTEMS-anla! Prefect doesn't encrypt or obfuscate any parameters, so I wouldn't recommend passing secret values into your flows. It depends on your use case, but I'd recommend you load secrets from your secret storage provider within your flow. You can pass in names or pointers to secrets to your flow if you need those secret values to be dynamic.

If you can share more about what types of secrets you'd like to pass into flow and where they originate from, we might be able to find other potential solutions!

[zzstoatzz]

+1 to the above, and in case this context is helpful: #11679