User impersonation secrets for deployment runs in prefect open source

[jlwhelan28]

There has already been considerable discussion on why dynamic secret values passed as flow parameters is not a supported pattern in Prefect. See #11679 (among other discussions)

Understanding that, I'm struggling to navigate this in my use case for Prefect OS. I am working with the following pattern

• Deployments hosted in prefect define some analytical workflow and run on remote infrastructure
• Upstream platform integrates with prefect rest api or sdk to run deployments
• User action in upstream platform triggers deployment run
• Deployed flow requires credentials to authenticate with downstream third party systems
• I want to pass user impersonation credentials for the user in the upstream system to the downstream system, such that the downstream system can maintain auditable access records

Secret Blocks don't work for me, without fine grain auth in Prefect open source all secrets are exposed to all "users", and anyone with access to the prefect api could access secrets for another user without extensive route blocking.

Curious if anyone has tackled a similar setup or if the Prefect team has advice. Is there a way to access REST API headers from within the flow?