corrects masking and looks up secret value in dlt.secrets

dlt/cli/deploy_command_helpers.py

@@ -175,6 +175,7 @@ def _update_envs(self, trace: PipelineTrace) -> None:
         for resolved_value in trace.resolved_config_values:
             if resolved_value.is_secret_hint:
                 # generate special forms for all secrets
+                breakpoint()
                 self.secret_envs.append(
                     LookupTrace(
                         self.env_prov.name,
@@ -202,15 +203,17 @@ def _echo_secrets(self) -> None:
             fmt.secho("Name:", fg="green")
             fmt.echo(fmt.bold(self.env_prov.get_key_name(s_v.key, *s_v.sections)))
             try:
-                secret_value = dlt.secrets[self.env_prov.get_key_name(s_v.key, *s_v.sections)]
                 fmt.secho("Secret:", fg="green")
-                fmt.echo(secret_value)
+                fmt.echo(self._lookup_secret_value(s_v))
             except ConfigFieldMissingException:
                 fmt.secho(
                     "Not found. See https://dlthub.com/docs/general-usage/credentials", fg="red"
                 )
             fmt.echo()
 
+    def _lookup_secret_value(self, trace: LookupTrace) -> Any:
+        return dlt.secrets[self.env_prov.get_secret_key_name(trace.key, *trace.sections)]
+
     def _echo_envs(self) -> None:
         for v in self.envs:
             fmt.secho("Name:", fg="green")

dlt/common/configuration/providers/environ.py

@@ -14,6 +14,10 @@ class EnvironProvider(ConfigProvider):
     def get_key_name(key: str, *sections: str) -> str:
         return get_key_name(key, "__", *sections).upper()
 
+    @staticmethod
+    def get_secret_key_name(key: str, *sections: str) -> str:
+        return get_key_name(key, ".", *sections)
+
     @property
     def name(self) -> str:
         return "Environment Variables"

dlt/pipeline/trace.py

@@ -3,14 +3,14 @@
 import os
 import pickle
 import datetime  # noqa: 251
-from typing import Any, List, NamedTuple, Optional, Protocol, Sequence
+from typing import Any, List, NamedTuple, Optional, Protocol, Sequence, Union
 import humanize
 
 from dlt.common.pendulum import pendulum
 from dlt.common.configuration import is_secret_hint
 from dlt.common.configuration.exceptions import ContextDefaultCannotBeCreated
 from dlt.common.configuration.specs.config_section_context import ConfigSectionContext
-from dlt.common.configuration.utils import _RESOLVED_TRACES
+from dlt.common.configuration.utils import _RESOLVED_TRACES, ResolvedValueTrace
 from dlt.common.configuration.container import Container
 from dlt.common.exceptions import ExceptionTrace, ResourceNameNotAvailable
 from dlt.common.logger import suppress_and_warn
@@ -56,7 +56,7 @@ def asdict(self) -> StrAny:
 
     def asstr(self, verbosity: int = 0) -> str:
         return (
-            f"{self.key}->{MASKED_SECRET if self.is_secret_hint else self.value } in"
+            f"{self.key}->{_mask_secret(self.value) if self.is_secret_hint else self.value } in"
             f" {'.'.join(self.sections)} by {self.provider_name}"
         )
 
@@ -284,8 +284,8 @@ def end_trace_step(
     resolved_values = map(
         lambda v: SerializableResolvedValueTrace(
             v.key,
-            MASKED_SECRET if is_secret_hint(v.hint) else v.value,
-            MASKED_SECRET if is_secret_hint(v.hint) else v.default_value,
+            _mask_secret(v.value) if is_secret_hint(v.hint) else v.value,
+            _mask_secret(v.default_value) if is_secret_hint(v.hint) else v.default_value,
             is_secret_hint(v.hint),
             v.sections,
             v.provider_name,
@@ -302,6 +302,13 @@ def end_trace_step(
     return trace
 
 
+def _mask_secret(trace_item_value: Any) -> Any:
+    if isinstance(trace_item_value, dict):
+        return {k: MASKED_SECRET for k in trace_item_value}
+    else:
+        return MASKED_SECRET
+
+
 def end_trace(
     trace: PipelineTrace, pipeline: SupportsPipeline, trace_path: str, send_state: bool
 ) -> PipelineTrace: