• Home
• airflow.providers.amazon
• airflow.providers.amazon.aws
• airflow.providers.amazon.aws.secrets
• airflow.providers.amazon.aws.secrets.secrets_manager

airflow.providers.amazon.aws.secrets.secrets_manager

Objects relating to sourcing secrets from AWS Secrets Manager

Module Contents

Classes

SecretsManagerBackend

Retrieves Connection or Variables from AWS Secrets Manager

class airflow.providers.amazon.aws.secrets.secrets_manager.SecretsManagerBackend(connections_prefix='airflow/connections', variables_prefix='airflow/variables', config_prefix='airflow/config', profile_name=None, sep='/', full_url_mode=True, are_secret_values_urlencoded=None, extra_conn_words=None, **kwargs)

Bases: airflow.secrets.BaseSecretsBackend, airflow.utils.log.logging_mixin.LoggingMixin

Retrieves Connection or Variables from AWS Secrets Manager

Configurable via airflow.cfg like so:

[secrets]
backend = airflow.providers.amazon.aws.secrets.secrets_manager.SecretsManagerBackend
backend_kwargs = {"connections_prefix": "airflow/connections"}

For example, if secrets prefix is airflow/connections/smtp_default, this would be accessible if you provide {"connections_prefix": "airflow/connections"} and request conn_id smtp_default. If variables prefix is airflow/variables/hello, this would be accessible if you provide {"variables_prefix": "airflow/variables"} and request variable key hello. And if config_prefix is airflow/config/sql_alchemy_conn, this would be accessible if you provide {"config_prefix": "airflow/config"} and request config key sql_alchemy_conn.

You can also pass additional keyword arguments like aws_secret_access_key, aws_access_key_id or region_name to this class and they would be passed on to Boto3 client.

There are two ways of storing secrets in Secret Manager for using them with this operator: storing them as a conn URI in one field, or taking advantage of native approach of Secrets Manager and storing them in multiple fields. There are certain words that will be searched in the name of fields for trying to retrieve a connection part. Those words are:

possible_words_for_conn_fields = {
    "login": ["user", "username", "login", "user_name"],
    "password": ["password", "pass", "key"],
    "host": ["host", "remote_host", "server"],
    "port": ["port"],
    "schema": ["database", "schema"],
    "conn_type": ["conn_type", "conn_id", "connection_type", "engine"],
}

However, these lists can be extended using the configuration parameter extra_conn_words. Also, you can have a field named extra for extra parameters for the conn. Please note that this extra field must be a valid JSON.

Parameters

• connections_prefix (str) – Specifies the prefix of the secret to read to get Connections. If set to None (null value in the configuration), requests for connections will not be sent to AWS Secrets Manager. If you don’t want a connections_prefix, set it as an empty string

• variables_prefix (str) – Specifies the prefix of the secret to read to get Variables. If set to None (null value in the configuration), requests for variables will not be sent to AWS Secrets Manager. If you don’t want a variables_prefix, set it as an empty string

• config_prefix (str) – Specifies the prefix of the secret to read to get Configurations. If set to None (null value in the configuration), requests for configurations will not be sent to AWS Secrets Manager. If you don’t want a config_prefix, set it as an empty string

• profile_name (Optional[str]) – The name of a profile to use. If not given, then the default profile is used.

• sep (str) – separator used to concatenate secret_prefix and secret_id. Default: “/”

• full_url_mode (bool) – if True, the secrets must be stored as one conn URI in just one field per secret. If False (set it as false in backend_kwargs), you can store the secret using different fields (password, user…).

• are_secret_values_urlencoded (Optional[bool]) – If True, and full_url_mode is False, then the values are assumed to be URL-encoded and will be decoded before being passed into a Connection object. This option is ignored when full_url_mode is True.

• extra_conn_words (Optional[Dict[str, List[str]]]) – for using just when you set full_url_mode as false and store the secrets in different fields of secrets manager. You can add more words for each connection part beyond the default ones. The extra words to be searched should be passed as a dict of lists, each list corresponding to a connection part. The optional keys of the dict must be: user, password, host, schema, conn_type.

client()

Create a Secrets Manager client

get_connection(conn_id)

Return connection object with a given conn_id.

Tries get_conn_value first and if not implemented, tries get_conn_uri

Parameters

conn_id (str) – connection id

get_uri_from_secret(secret)

get_conn_value(conn_id)

Get serialized representation of Connection

Parameters

conn_id (str) – connection id

get_conn_uri(conn_id)

Return URI representation of Connection conn_id.

As of Airflow version 2.3.0 this method is deprecated.

Parameters

conn_id (str) – the connection id

Returns

deserialized Connection

Return type

Optional[str]

get_variable(key)

Get Airflow Variable from Environment Variable :param key: Variable Key :return: Variable Value

get_config(key)

Get Airflow Configuration :param key: Configuration Option Key :return: Configuration Option Value

Previous Next

Was this entry helpful?