airflow.providers.google.cloud.secrets.secret_manager

Objects relating to sourcing connections from Google Cloud Secrets Manager.

Module Contents

Classes

CloudSecretManagerBackend

Retrieves Connection object from Google Cloud Secrets Manager.

Attributes

log

SECRET_ID_PATTERN

airflow.providers.google.cloud.secrets.secret_manager.log[source]
airflow.providers.google.cloud.secrets.secret_manager.SECRET_ID_PATTERN = '^[a-zA-Z0-9-_]*$'[source]
class airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend(connections_prefix='airflow-connections', variables_prefix='airflow-variables', config_prefix='airflow-config', gcp_keyfile_dict=None, gcp_key_path=None, gcp_credential_config_file=None, gcp_scopes=None, project_id=PROVIDE_PROJECT_ID, sep='-', impersonation_chain=None, **kwargs)[source]

Bases: airflow.secrets.BaseSecretsBackend, airflow.utils.log.logging_mixin.LoggingMixin

Retrieves Connection object from Google Cloud Secrets Manager.

Configurable via airflow.cfg as follows:

[secrets]
backend = airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend
backend_kwargs = {"connections_prefix": "airflow-connections", "sep": "-"}

For example, if the Secrets Manager secret id is airflow-connections-smtp_default, this would be accessible if you provide {"connections_prefix": "airflow-connections", "sep": "-"} and request conn_id smtp_default.

If the Secrets Manager secret id is airflow-variables-hello, this would be accessible if you provide {"variables_prefix": "airflow-variables", "sep": "-"} and request Variable Key hello.

The full secret id should follow the pattern “[a-zA-Z0-9-_]”.

Parameters
  • connections_prefix (str) – Specifies the prefix of the secret to read to get Connections. If set to None (null), requests for connections will not be sent to GCP Secrets Manager

  • variables_prefix (str) – Specifies the prefix of the secret to read to get Variables. If set to None (null), requests for variables will not be sent to GCP Secrets Manager

  • config_prefix (str) – Specifies the prefix of the secret to read to get Airflow Configurations containing secrets. If set to None (null), requests for configurations will not be sent to GCP Secrets Manager

  • gcp_key_path (str | None) – Path to Google Cloud Service Account key file (JSON). Mutually exclusive with gcp_keyfile_dict. use default credentials in the current environment if not provided.

  • gcp_keyfile_dict (dict | None) – Dictionary of keyfile parameters. Mutually exclusive with gcp_key_path.

  • gcp_credential_config_file (dict[str, str] | str | None) – File path to or content of a GCP credential configuration file.

  • gcp_scopes (str | None) – Comma-separated string containing OAuth2 scopes

  • project_id (str) – Project ID to read the secrets from. If not passed, the project ID from credentials will be used.

  • sep (str) – Separator used to concatenate connections_prefix and conn_id. Default: “-“

  • impersonation_chain (str | Sequence[str] | None) – Optional service account to impersonate using short-term credentials, or chained list of accounts required to get the access token of the last account in the list, which will be impersonated in the request. If set as a string, the account must grant the originating account the Service Account Token Creator IAM role. If set as a sequence, the identities from the list must grant Service Account Token Creator IAM role to the directly preceding identity, with first account from the list granting this role to the originating account.

property client: airflow.providers.google.cloud._internal_client.secret_manager_client._SecretManagerClient[source]

Property returning secret client.

Returns

Secrets client

Return type

airflow.providers.google.cloud._internal_client.secret_manager_client._SecretManagerClient

get_conn_value(conn_id)[source]

Get serialized representation of Connection.

Parameters

conn_id (str) – connection id

get_conn_uri(conn_id)[source]

Return URI representation of Connection conn_id.

As of Airflow version 2.3.0 this method is deprecated.

Parameters

conn_id (str) – the connection id

Returns

deserialized Connection

Return type

str | None

get_variable(key)[source]

Get Airflow Variable from Environment Variable.

Parameters

key (str) – Variable Key

Returns

Variable Value

Return type

str | None

get_config(key)[source]

Get Airflow Configuration.

Parameters

key (str) – Configuration Option Key

Returns

Configuration Option Value

Return type

str | None

Was this entry helpful?