airflow.providers.amazon.aws.secrets.secrets_manager
¶
Objects relating to sourcing secrets from AWS Secrets Manager
Module Contents¶
Classes¶
Retrieves Connection or Variables from AWS Secrets Manager |
- class airflow.providers.amazon.aws.secrets.secrets_manager.SecretsManagerBackend(connections_prefix='airflow/connections', variables_prefix='airflow/variables', config_prefix='airflow/config', sep='/', extra_conn_words=None, **kwargs)[source]¶
Bases:
airflow.secrets.BaseSecretsBackend
,airflow.utils.log.logging_mixin.LoggingMixin
Retrieves Connection or Variables from AWS Secrets Manager
Configurable via
airflow.cfg
like so:[secrets] backend = airflow.providers.amazon.aws.secrets.secrets_manager.SecretsManagerBackend backend_kwargs = {"connections_prefix": "airflow/connections"}
For example, if secrets prefix is
airflow/connections/smtp_default
, this would be accessible if you provide{"connections_prefix": "airflow/connections"}
and request conn_idsmtp_default
. If variables prefix isairflow/variables/hello
, this would be accessible if you provide{"variables_prefix": "airflow/variables"}
and request variable keyhello
. And if config_prefix isairflow/config/sql_alchemy_conn
, this would be accessible if you provide{"config_prefix": "airflow/config"}
and request config keysql_alchemy_conn
.You can also pass additional keyword arguments listed in AWS Connection Extra config to this class, and they would be used for establishing a connection and passed on to Boto3 client.
[secrets] backend = airflow.providers.amazon.aws.secrets.secrets_manager.SecretsManagerBackend backend_kwargs = {"connections_prefix": "airflow/connections", "region_name": "eu-west-1"}
See also
There are two ways of storing secrets in Secret Manager for using them with this operator: storing them as a conn URI in one field, or taking advantage of native approach of Secrets Manager and storing them in multiple fields. There are certain words that will be searched in the name of fields for trying to retrieve a connection part. Those words are:
possible_words_for_conn_fields = { "login": ["login", "user", "username", "user_name"], "password": ["password", "pass", "key"], "host": ["host", "remote_host", "server"], "port": ["port"], "schema": ["database", "schema"], "conn_type": ["conn_type", "conn_id", "connection_type", "engine"], }
However, these lists can be extended using the configuration parameter
extra_conn_words
. Also, you can have a field named extra for extra parameters for the conn. Please note that this extra field must be a valid JSON.- Parameters
connections_prefix (str) – Specifies the prefix of the secret to read to get Connections. If set to None (null value in the configuration), requests for connections will not be sent to AWS Secrets Manager. If you don’t want a connections_prefix, set it as an empty string
variables_prefix (str) – Specifies the prefix of the secret to read to get Variables. If set to None (null value in the configuration), requests for variables will not be sent to AWS Secrets Manager. If you don’t want a variables_prefix, set it as an empty string
config_prefix (str) – Specifies the prefix of the secret to read to get Configurations. If set to None (null value in the configuration), requests for configurations will not be sent to AWS Secrets Manager. If you don’t want a config_prefix, set it as an empty string
sep (str) – separator used to concatenate secret_prefix and secret_id. Default: “/”
extra_conn_words (dict[str, list[str]] | None) – for using just when you set full_url_mode as false and store the secrets in different fields of secrets manager. You can add more words for each connection part beyond the default ones. The extra words to be searched should be passed as a dict of lists, each list corresponding to a connection part. The optional keys of the dict must be: user, password, host, schema, conn_type.
- get_conn_value(conn_id)[source]¶
Get serialized representation of Connection
- Parameters
conn_id (str) – connection id
- get_conn_uri(conn_id)[source]¶
Return URI representation of Connection conn_id.
As of Airflow version 2.3.0 this method is deprecated.