Use Cases
The plugin system is designed for scenarios where you need to:- Obtain short-lived credentials: Automatically fetch temporary AWS credentials, service tokens, or API keys before workflow execution
- Configure environment variables: Set up environment-specific configuration based on the execution context
- Initialize external services: Connect to secret managers, credential stores, or authentication providers
- Prepare execution environments: Ensure required resources or configurations are available before workflows run
Quick Start
Enabling the Plugin System
The plugin system is opt-in and disabled by default. Enable it by setting the environment variable:- Python scripts that import Prefect (
import prefect) - CLI commands (
prefect deploy,prefect server start, etc.) - Workers and agents starting up
- Any process that uses Prefect
Example Plugin
Here’s a minimal example plugin that sets environment variables:pyproject.toml:
Configuration
Environment Variables
Configure the plugin system with these environment variables:The legacy
PREFECT_EXPERIMENTS_PLUGINS_* environment variables continue to work as aliases but emit a DeprecationWarning on first use. Rename them to PREFECT_PLUGINS_* at your earliest convenience; the old names will stop being recognized in a future release.Examples
Allow only specific plugins:Plugin API
Hook Specification
Plugins implement thesetup_environment hook to configure the environment or run code on startup. The simplest approach is to use a decorated function:
Required Decorator: The
@register_hook decorator is required to mark your function as a plugin hook implementation. Without it, your plugin will not be discovered by the plugin system.Entry Point: When using the function-based pattern, your entry point should reference the module (e.g., "my_plugin") rather than a specific class or instance."my_plugin:Plugin"
HookContext
The context object passed to plugins:SetupResult
The result returned by plugins:Example: AWS Credentials Plugin
Here’s a complete example of a plugin that assumes an AWS IAM role and provides temporary credentials:Diagnostics
Use the diagnostic command to troubleshoot plugin issues:Security Considerations
Secret Redaction
The plugin system automatically redacts sensitive environment variables in logs and diagnostics. Variables containing these keywords are redacted:SECRETTOKENPASSWORDKEY
Permissions
Plugins execute with the same permissions as the Prefect process. Be cautious about:- Environment variables can affect all child processes
- File system access matches the Prefect process user
- Network calls are unrestricted
- Plugins can import any installed package
Behavior & Guarantees
Import-Time Execution
Plugins run automatically when Prefect is imported, before any other Prefect code executes. This means:- Environment variables are available to all Prefect operations
- Credentials are configured before connecting to APIs
- Setup happens once per process, not per CLI command
Execution Order
- Plugins are discovered via entry points in the
prefect.pluginsgroup - Execution order is not guaranteed
- Multiple plugins may modify the same environment variables (last write wins)
Error Handling
- Plugin errors are isolated and logged
- One plugin’s failure doesn’t affect others
- In strict mode with
required=True, plugin failures abort startup - Timeouts apply globally to all plugins combined
Async Support
Plugins can be either synchronous or asynchronous:Idempotence
Plugins should be idempotent - multiple invocations should produce the same result. Prefect may call plugins multiple times during initialization or in different processes.Version Compatibility
Specifying Version Requirements
Plugins should declare their API version compatibility using thePREFECT_PLUGIN_API_REQUIRES attribute:
">=0.1,<1"- Compatible with 0.1.x releases, incompatible with 1.0+">=0.1"- Compatible with 0.1 and all future versions"==0.1"- Only compatible with exactly version 0.1
0.1. This will be incremented when breaking changes are made to the plugin interface.
Version Validation
When Prefect loads plugins, it automatically validates version compatibility:- Compatible versions: Plugin loads normally and executes
- Incompatible versions: Plugin is skipped with a warning log message
- Invalid specifiers: Warning is logged, but plugin loads anyway (best-effort)
- Missing attribute: Defaults to
">=0.1,<1"if not specified
Checking Compatibility
Use the diagnostics command to see plugin version requirements:Troubleshooting
Plugin Not Running
-
Verify plugins are enabled:
-
Check plugin is discoverable:
-
Verify entry point is registered:
Plugin Errors
-
Enable safe mode to test loading without execution:
-
Check plugin logs:
-
Test plugin in isolation:
Version Compatibility Issues
If a plugin isn’t loading due to version mismatch:-
Check the plugin’s API requirement:
Look for warnings about incompatible API versions
- Update the plugin to a version compatible with your Prefect installation, or update Prefect to match the plugin’s requirements
-
If you’re developing a plugin, adjust
PREFECT_PLUGIN_API_REQUIRESto match the current API version: -
Enable debug logging to see detailed version validation: