airflow.providers.google.cloud.secrets.secret_manager
¶
Objects relating to sourcing connections from Google Cloud Secrets Manager
Module Contents¶
-
class
airflow.providers.google.cloud.secrets.secret_manager.
CloudSecretManagerBackend
(connections_prefix: str = 'airflow-connections', variables_prefix: str = 'airflow-variables', config_prefix: str = 'airflow-config', gcp_keyfile_dict: Optional[dict] = None, gcp_key_path: Optional[str] = None, gcp_scopes: Optional[str] = None, project_id: Optional[str] = None, sep: str = '-', **kwargs)[source]¶ Bases:
airflow.secrets.BaseSecretsBackend
,airflow.utils.log.logging_mixin.LoggingMixin
Retrieves Connection object from Google Cloud Secrets Manager
Configurable via
airflow.cfg
as follows:[secrets] backend = airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend backend_kwargs = {"connections_prefix": "airflow-connections", "sep": "-"}
For example, if the Secrets Manager secret id is
airflow-connections-smtp_default
, this would be accessible if you provide{"connections_prefix": "airflow-connections", "sep": "-"}
and request conn_idsmtp_default
.If the Secrets Manager secret id is
airflow-variables-hello
, this would be accessible if you provide{"variables_prefix": "airflow-variables", "sep": "-"}
and request Variable Keyhello
.The full secret id should follow the pattern “[a-zA-Z0-9-_]”.
- Parameters
connections_prefix (str) – Specifies the prefix of the secret to read to get Connections. If set to None (null), requests for connections will not be sent to GCP Secrets Manager
variables_prefix (str) – Specifies the prefix of the secret to read to get Variables. If set to None (null), requests for variables will not be sent to GCP Secrets Manager
config_prefix (str) – Specifies the prefix of the secret to read to get Airflow Configurations containing secrets. If set to None (null), requests for configurations will not be sent to GCP Secrets Manager
gcp_key_path (str) – Path to Google Cloud Service Account key file (JSON). Mutually exclusive with gcp_keyfile_dict. use default credentials in the current environment if not provided.
gcp_keyfile_dict (dict) – Dictionary of keyfile parameters. Mutually exclusive with gcp_key_path.
gcp_scopes (str) – Comma-separated string containing OAuth2 scopes
project_id (str) – Project ID to read the secrets from. If not passed, the project ID from credentials will be used.
sep (str) – Separator used to concatenate connections_prefix and conn_id. Default: “-“
-
get_conn_uri
(self, conn_id: str)[source]¶ Get secret value from the SecretManager.
- Parameters
conn_id (str) – connection id
-
get_variable
(self, key: str)[source]¶ Get Airflow Variable from Environment Variable
- Parameters
key – Variable Key
- Returns
Variable Value