`airflow.providers.hashicorp.secrets.vault`¶

Objects relating to sourcing connections & variables from Hashicorp Vault

Module Contents¶

Classes¶

VaultBackend

Retrieves Connections and Variables from Hashicorp Vault.

class airflow.providers.hashicorp.secrets.vault.VaultBackend(connections_path='connections', variables_path='variables', config_path='config', url=None, auth_type='token', auth_mount_point=None, mount_point='secret', kv_engine_version=2, token=None, token_path=None, username=None, password=None, key_id=None, secret_id=None, role_id=None, kubernetes_role=None, kubernetes_jwt_path='/var/run/secrets/kubernetes.io/serviceaccount/token', gcp_key_path=None, gcp_keyfile_dict=None, gcp_scopes=None, azure_tenant_id=None, azure_resource=None, radius_host=None, radius_secret=None, radius_port=None, **kwargs)[source]¶

Bases: airflow.secrets.BaseSecretsBackend, airflow.utils.log.logging_mixin.LoggingMixin

Retrieves Connections and Variables from Hashicorp Vault.

Configurable via airflow.cfg as follows:

[secrets]
backend = airflow.providers.hashicorp.secrets.vault.VaultBackend
backend_kwargs = {
    "connections_path": "connections",
    "url": "http://127.0.0.1:8200",
    "mount_point": "airflow"
    }

For example, if your keys are under connections path in airflow mount_point, this would be accessible if you provide {"connections_path": "connections"} and request conn_id smtp_default.

Parameters

connections_path (str) – Specifies the path of the secret to read to get Connections. (default: ‘connections’). If set to None (null), requests for connections will not be sent to Vault.
variables_path (str) – Specifies the path of the secret to read to get Variable. (default: ‘variables’). If set to None (null), requests for variables will not be sent to Vault.
config_path (str) – Specifies the path of the secret to read Airflow Configurations (default: ‘config’). If set to None (null), requests for configurations will not be sent to Vault.
url (Optional[str]) – Base URL for the Vault instance being addressed.
auth_type (str) – Authentication Type for Vault. Default is token. Available values are: (‘approle’, ‘aws_iam’, ‘azure’, ‘github’, ‘gcp’, ‘kubernetes’, ‘ldap’, ‘radius’, ‘token’, ‘userpass’)
auth_mount_point (Optional[str]) – It can be used to define mount_point for authentication chosen Default depends on the authentication method used.
mount_point (str) – The “path” the secret engine was mounted on. Default is “secret”. Note that this mount_point is not used for authentication if authentication is done via a different engine. For authentication mount_points see, auth_mount_point.
kv_engine_version (int) – Select the version of the engine to run (1 or 2, default: 2).
token (Optional[str]) – Authentication token to include in requests sent to Vault. (for token and github auth_type)
token_path (Optional[str]) – path to file containing authentication token to include in requests sent to Vault (for token and github auth_type).
username (Optional[str]) – Username for Authentication (for ldap and userpass auth_type).
password (Optional[str]) – Password for Authentication (for ldap and userpass auth_type).
key_id (Optional[str]) – Key ID for Authentication (for aws_iam and ‘’azure`` auth_type).
secret_id (Optional[str]) – Secret ID for Authentication (for approle, aws_iam and azure auth_types).
role_id (Optional[str]) – Role ID for Authentication (for approle, aws_iam auth_types).
kubernetes_role (Optional[str]) – Role for Authentication (for kubernetes auth_type).
kubernetes_jwt_path (str) – Path for kubernetes jwt token (for kubernetes auth_type, default: /var/run/secrets/kubernetes.io/serviceaccount/token).
gcp_key_path (Optional[str]) – Path to Google Cloud Service Account key file (JSON) (for gcp auth_type). Mutually exclusive with gcp_keyfile_dict.
gcp_keyfile_dict (Optional[dict]) – Dictionary of keyfile parameters. (for gcp auth_type). Mutually exclusive with gcp_key_path.
gcp_scopes (Optional[str]) – Comma-separated string containing OAuth2 scopes (for gcp auth_type).
azure_tenant_id (Optional[str]) – The tenant id for the Azure Active Directory (for azure auth_type).
azure_resource (Optional[str]) – The configured URL for the application registered in Azure Active Directory (for azure auth_type).
radius_host (Optional[str]) – Host for radius (for radius auth_type).
radius_secret (Optional[str]) – Secret for radius (for radius auth_type).
radius_port (Optional[int]) – Port for radius (for radius auth_type).

get_response(self, conn_id)[source]¶

Get data from Vault

Return type: dict
Returns: The data from the Vault path if exists

get_conn_uri(self, conn_id)[source]¶

Get serialized representation of connection

Parameters: conn_id (str) – The connection id
Return type: str
Returns: The connection uri retrieved from the secret

get_connection(self, conn_id)[source]¶

Get connection from Vault as secret. Prioritize conn_uri if exists, if not fall back to normal Connection creation.

Return type: Connection
Returns: A Connection object constructed from Vault data

get_variable(self, key)[source]¶

Get Airflow Variable

Parameters: key (str) – Variable Key
Return type: str
Returns: Variable Value retrieved from the vault

get_config(self, key)[source]¶

Get Airflow Configuration

Parameters: key (str) – Configuration Option Key
Return type: str
Returns: Configuration Option Value retrieved from the vault

airflow.providers.hashicorp.secrets.vault¶

Module Contents¶

Classes¶

`airflow.providers.hashicorp.secrets.vault`¶