airflow.providers.akeyless.secrets.akeyless

Secrets Backend for sourcing Connections, Variables, and Config from Akeyless.

Classes

AkeylessBackend

Retrieve Connections, Variables, and Configuration from Akeyless.

Module Contents

class airflow.providers.akeyless.secrets.akeyless.AkeylessBackend(connections_path='/airflow/connections', variables_path='/airflow/variables', config_path='/airflow/config', sep='/', use_team_secrets_path=True, global_secrets_path=None, api_url='https://api.akeyless.io', access_id=None, access_key=None, access_type='api_key', token_ttl=_DEFAULT_TOKEN_TTL, **kwargs)[source]

Bases: airflow.secrets.BaseSecretsBackend, airflow.utils.log.logging_mixin.LoggingMixin

Retrieve Connections, Variables, and Configuration from Akeyless.

Configurable via airflow.cfg:

[secrets]
backend = airflow.providers.akeyless.secrets.akeyless.AkeylessBackend
backend_kwargs = {
    "connections_path": "/airflow/connections",
    "variables_path": "/airflow/variables",
    "api_url": "https://api.akeyless.io",
    "access_id": "p-xxxx",
    "access_key": "xxxx"
}

Secrets are looked up by joining <base_path>/<key>.

In multi-team deployments (core.multi_team = True), secrets are first looked up under {base_path}/{team_name}/{key}. If not found, the backend falls back to a global path: {base_path}/{global_secrets_path}/{key} (when global_secrets_path is set) or {base_path}/{key} (default). Team-scoped lookup can be disabled with use_team_secrets_path = False.

Only api_key and uid authentication types are supported in the secrets backend. For cloud-based authentication (aws_iam, gcp, azure_ad) or other advanced methods, use AkeylessHook directly.

Parameters:

  • connections_path (str | None) – Akeyless path prefix for Connections (None to disable).

  • variables_path (str | None) – Akeyless path prefix for Variables (None to disable).

  • config_path (str | None) – Akeyless path prefix for Config (None to disable).

  • sep (str) – Separator between base path and key.

  • use_team_secrets_path (bool) – When True (default), look up secrets under {base_path}/{team_name}/{key} in multi-team mode before falling back.

  • global_secrets_path (str | None) – Optional path segment inserted between base path and key for the global fallback in multi-team mode (e.g. "global").

  • api_url (str) – Akeyless API endpoint.

  • access_id (str | None) – Access ID.

  • access_key (str | None) – Access Key (for api_key auth).

  • access_type (str) – Auth type (api_key or uid).

  • token_ttl (int) – Seconds to cache the API token before refreshing (default 600).

connections_path = ''[source]
variables_path = ''[source]
config_path = ''[source]
sep = '/'[source]
use_team_secrets_path = True[source]
global_secrets_path[source]
get_connection(conn_id, team_name=None)[source]

Build a Connection from an Akeyless secret (URI or JSON dict).

get_variable(key, team_name=None)[source]

Retrieve an Airflow Variable from Akeyless.

get_config(key)[source]

Retrieve an Airflow Configuration option from Akeyless.

Was this entry helpful?