airflow.providers.hashicorp.hooks.vault
¶
Hook for HashiCorp Vault.
Module Contents¶
Classes¶
Hook to Interact with HashiCorp Vault KeyValue Secret engine. |
- class airflow.providers.hashicorp.hooks.vault.VaultHook(vault_conn_id=default_conn_name, auth_type=None, auth_mount_point=None, kv_engine_version=None, role_id=None, kubernetes_role=None, kubernetes_jwt_path=None, token_path=None, gcp_key_path=None, gcp_scopes=None, azure_tenant_id=None, azure_resource=None, radius_host=None, radius_port=None, **kwargs)[source]¶
Bases:
airflow.hooks.base.BaseHook
Hook to Interact with HashiCorp Vault KeyValue Secret engine.
- HashiCorp hvac documentation:
You connect to the host specified as host in the connection. The login/password from the connection are used as credentials usually and you can specify different authentication parameters via init params or via corresponding extras in the connection.
The mount point should be placed as a path in the URL - similarly to Vault’s URL schema: This indicates the “path” the secret engine is mounted on. Default id not specified is “secret”. Note that this
mount_point
is not used for authentication if authentication is done via a different engines. Each engine uses its own engine-specific authentication mount_point.The extras in the connection are named the same as the parameters (‘kv_engine_version’, ‘auth_type’, …).
You can also use gcp_keyfile_dict extra to pass json-formatted dict in case of ‘gcp’ authentication.
The URL schemas supported are “vault”, “http” (using http to connect to the vault) or “vaults” and “https” (using https to connect to the vault).
Example URL:
vault://user:password@host:port/mount_point?kv_engine_version=1&auth_type=github
Login/Password are used as credentials:
approle: login -> role_id, password -> secret_id
github: password -> token
token: password -> token
aws_iam: login -> key_id, password -> secret_id
azure: login -> client_id, password -> client_secret
ldap: login -> username, password -> password
userpass: login -> username, password -> password
radius: password -> radius_secret
- Parameters
vault_conn_id (str) – The id of the connection to use
auth_type (str | None) – Authentication Type for the Vault. Default is
token
. Available values are: (‘approle’, ‘github’, ‘gcp’, ‘kubernetes’, ‘ldap’, ‘token’, ‘userpass’)auth_mount_point (str | None) – It can be used to define mount_point for authentication chosen Default depends on the authentication method used.
kv_engine_version (int | None) – Select the version of the engine to run (
1
or2
). Defaults to version defined in connection or2
if not defined in connection.role_id (str | None) – Role ID for
aws_iam
Authentication.kubernetes_role (str | None) – Role for Authentication (for
kubernetes
auth_type)kubernetes_jwt_path (str | None) – Path for kubernetes jwt token (for
kubernetes
auth_type, default:/var/run/secrets/kubernetes.io/serviceaccount/token
)token_path (str | None) – path to file containing authentication token to include in requests sent to Vault (for
token
andgithub
auth_type).gcp_key_path (str | None) – Path to Google Cloud Service Account key file (JSON) (for
gcp
auth_type) Mutually exclusive with gcp_keyfile_dictgcp_scopes (str | None) – Comma-separated string containing OAuth2 scopes (for
gcp
auth_type)azure_tenant_id (str | None) – The tenant id for the Azure Active Directory (for
azure
auth_type)azure_resource (str | None) – The configured URL for the application registered in Azure Active Directory (for
azure
auth_type)radius_host (str | None) – Host for radius (for
radius
auth_type)radius_port (int | None) – Port for radius (for
radius
auth_type)
- get_secret(secret_path, secret_version=None)[source]¶
Get secret value from the engine.
- Parameters
See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v1.html and https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.
- get_secret_metadata(secret_path)[source]¶
Read secret metadata (including versions) from the engine. It is only valid for KV version 2.
- Parameters
secret_path (str) – Path to read from
- Returns
secret metadata. This is a Dict containing metadata for the secret.
- Return type
dict | None
See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.
- get_secret_including_metadata(secret_path, secret_version=None)[source]¶
Read secret including metadata. It is only valid for KV version 2.
See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.
- Parameters
- Returns
key info. This is a Dict with “data” mapping keeping secret and “metadata” mapping keeping metadata of the secret.
- Return type
dict | None
- create_or_update_secret(secret_path, secret, method=None, cas=None)[source]¶
Create or updates secret.
- Parameters
secret_path (str) – Path to read from
secret (dict) – Secret to create or update for the path specified
method (str | None) – Optional parameter to explicitly request a POST (create) or PUT (update) request to the selected kv secret engine. If no argument is provided for this parameter, hvac attempts to intelligently determine which method is appropriate. Only valid for KV engine version 1
cas (int | None) – Set the “cas” value to use a Check-And-Set operation. If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter. Only valid for KV engine version 2.
- Returns
The response of the create_or_update_secret request.
- Return type
See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v1.html and https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.