airflow.providers.hashicorp.secrets.vault

Objects relating to sourcing connections & variables from Hashicorp Vault

Module Contents

class airflow.providers.hashicorp.secrets.vault.VaultBackend(connections_path: str = 'connections', variables_path: str = 'variables', config_path: str = 'config', url: Optional[str] = None, auth_type: str = 'token', auth_mount_point: Optional[str] = None, mount_point: str = 'secret', kv_engine_version: int = 2, token: Optional[str] = None, token_path: Optional[str] = None, username: Optional[str] = None, password: Optional[str] = None, key_id: Optional[str] = None, secret_id: Optional[str] = None, role_id: Optional[str] = None, kubernetes_role: Optional[str] = None, kubernetes_jwt_path: str = '/var/run/secrets/kubernetes.io/serviceaccount/token', gcp_key_path: Optional[str] = None, gcp_keyfile_dict: Optional[dict] = None, gcp_scopes: Optional[str] = None, azure_tenant_id: Optional[str] = None, azure_resource: Optional[str] = None, radius_host: Optional[str] = None, radius_secret: Optional[str] = None, radius_port: Optional[int] = None, **kwargs)[source]

Bases: airflow.secrets.BaseSecretsBackend, airflow.utils.log.logging_mixin.LoggingMixin

Retrieves Connections and Variables from Hashicorp Vault.

Configurable via airflow.cfg as follows:

[secrets]
backend = airflow.providers.hashicorp.secrets.vault.VaultBackend
backend_kwargs = {
    "connections_path": "connections",
    "url": "http://127.0.0.1:8200",
    "mount_point": "airflow"
    }

For example, if your keys are under connections path in airflow mount_point, this would be accessible if you provide {"connections_path": "connections"} and request conn_id smtp_default.

Parameters

  • connections_path (str) -- Specifies the path of the secret to read to get Connections. (default: 'connections'). If set to None (null), requests for connections will not be sent to Vault.

  • variables_path (str) -- Specifies the path of the secret to read to get Variable. (default: 'variables'). If set to None (null), requests for variables will not be sent to Vault.

  • config_path (str) -- Specifies the path of the secret to read Airflow Configurations (default: 'config'). If set to None (null), requests for configurations will not be sent to Vault.

  • url (str) -- Base URL for the Vault instance being addressed.

  • auth_type (str) -- Authentication Type for Vault. Default is token. Available values are: ('approle', 'aws_iam', 'azure', 'github', 'gcp', 'kubernetes', 'ldap', 'radius', 'token', 'userpass')

  • auth_mount_point (str) -- It can be used to define mount_point for authentication chosen Default depends on the authentication method used.

  • mount_point (str) -- The "path" the secret engine was mounted on. Default is "secret". Note that this mount_point is not used for authentication if authentication is done via a different engine. For authentication mount_points see, auth_mount_point.

  • kv_engine_version (int) -- Select the version of the engine to run (1 or 2, default: 2).

  • token (str) -- Authentication token to include in requests sent to Vault. (for token and github auth_type)

  • token_path (str) -- path to file containing authentication token to include in requests sent to Vault (for token and github auth_type).

  • username (str) -- Username for Authentication (for ldap and userpass auth_type).

  • password (str) -- Password for Authentication (for ldap and userpass auth_type).

  • key_id (str) -- Key ID for Authentication (for aws_iam and ''azure`` auth_type).

  • secret_id (str) -- Secret ID for Authentication (for approle, aws_iam and azure auth_types).

  • role_id (str) -- Role ID for Authentication (for approle, aws_iam auth_types).

  • kubernetes_role (str) -- Role for Authentication (for kubernetes auth_type).

  • kubernetes_jwt_path (str) -- Path for kubernetes jwt token (for kubernetes auth_type, default: /var/run/secrets/kubernetes.io/serviceaccount/token).

  • gcp_key_path (str) -- Path to Google Cloud Service Account key file (JSON) (for gcp auth_type). Mutually exclusive with gcp_keyfile_dict.

  • gcp_keyfile_dict (dict) -- Dictionary of keyfile parameters. (for gcp auth_type). Mutually exclusive with gcp_key_path.

  • gcp_scopes (str) -- Comma-separated string containing OAuth2 scopes (for gcp auth_type).

  • azure_tenant_id (str) -- The tenant id for the Azure Active Directory (for azure auth_type).

  • azure_resource (str) -- The configured URL for the application registered in Azure Active Directory (for azure auth_type).

  • radius_host (str) -- Host for radius (for radius auth_type).

  • radius_secret (str) -- Secret for radius (for radius auth_type).

  • radius_port (str) -- Port for radius (for radius auth_type).

get_conn_uri(self, conn_id: str)[source]

Get secret value from Vault. Store the secret in the form of URI

Parameters

conn_id (str) -- The connection id

Return type

str

Returns

The connection uri retrieved from the secret

get_variable(self, key: str)[source]

Get Airflow Variable

Parameters

key (str) -- Variable Key

Return type

str

Returns

Variable Value retrieved from the vault

get_config(self, key: str)[source]

Get Airflow Configuration

Parameters

key (str) -- Configuration Option Key

Return type

str

Returns

Configuration Option Value retrieved from the vault

Was this entry helpful?