airflow.providers.hashicorp.hooks.vault

Hook for HashiCorp Vault

Module Contents

Classes

VaultHook

Hook to Interact with HashiCorp Vault KeyValue Secret engine.

class airflow.providers.hashicorp.hooks.vault.VaultHook(vault_conn_id=default_conn_name, auth_type=None, auth_mount_point=None, kv_engine_version=None, role_id=None, kubernetes_role=None, kubernetes_jwt_path=None, token_path=None, gcp_key_path=None, gcp_scopes=None, azure_tenant_id=None, azure_resource=None, radius_host=None, radius_port=None, **kwargs)[source]

Bases: airflow.hooks.base.BaseHook

Hook to Interact with HashiCorp Vault KeyValue Secret engine.

HashiCorp hvac documentation:

You connect to the host specified as host in the connection. The login/password from the connection are used as credentials usually and you can specify different authentication parameters via init params or via corresponding extras in the connection.

The mount point should be placed as a path in the URL - similarly to Vault’s URL schema: This indicates the “path” the secret engine is mounted on. Default id not specified is “secret”. Note that this mount_point is not used for authentication if authentication is done via a different engines. Each engine uses it’s own engine-specific authentication mount_point.

The extras in the connection are named the same as the parameters (‘kv_engine_version’, ‘auth_type’, …).

You can also use gcp_keyfile_dict extra to pass json-formatted dict in case of ‘gcp’ authentication.

The URL schemas supported are “vault”, “http” (using http to connect to the vault) or “vaults” and “https” (using https to connect to the vault).

Example URL:

vault://user:password@host:port/mount_point?kv_engine_version=1&auth_type=github

Login/Password are used as credentials:

  • approle: login -> role_id, password -> secret_id

  • github: password -> token

  • token: password -> token

  • aws_iam: login -> key_id, password -> secret_id

  • azure: login -> client_id, password -> client_secret

  • ldap: login -> username, password -> password

  • userpass: login -> username, password -> password

  • radius: password -> radius_secret

Parameters
  • vault_conn_id (str) – The id of the connection to use

  • auth_type (str | None) – Authentication Type for the Vault. Default is token. Available values are: (‘approle’, ‘github’, ‘gcp’, ‘kubernetes’, ‘ldap’, ‘token’, ‘userpass’)

  • auth_mount_point (str | None) – It can be used to define mount_point for authentication chosen Default depends on the authentication method used.

  • kv_engine_version (int | None) – Select the version of the engine to run (1 or 2). Defaults to version defined in connection or 2 if not defined in connection.

  • role_id (str | None) – Role ID for aws_iam Authentication.

  • kubernetes_role (str | None) – Role for Authentication (for kubernetes auth_type)

  • kubernetes_jwt_path (str | None) – Path for kubernetes jwt token (for kubernetes auth_type, default: /var/run/secrets/kubernetes.io/serviceaccount/token)

  • token_path (str | None) – path to file containing authentication token to include in requests sent to Vault (for token and github auth_type).

  • gcp_key_path (str | None) – Path to Google Cloud Service Account key file (JSON) (for gcp auth_type) Mutually exclusive with gcp_keyfile_dict

  • gcp_scopes (str | None) – Comma-separated string containing OAuth2 scopes (for gcp auth_type)

  • azure_tenant_id (str | None) – The tenant id for the Azure Active Directory (for azure auth_type)

  • azure_resource (str | None) – The configured URL for the application registered in Azure Active Directory (for azure auth_type)

  • radius_host (str | None) – Host for radius (for radius auth_type)

  • radius_port (int | None) – Port for radius (for radius auth_type)

conn_name_attr = vault_conn_id[source]
default_conn_name = vault_default[source]
conn_type = vault[source]
hook_name = Hashicorp Vault[source]
get_conn()[source]

Retrieves connection to Vault.

Returns

connection used.

Return type

hvac.Client

get_secret(secret_path, secret_version=None)[source]

Get secret value from the engine.

Parameters
  • secret_path (str) – Path of the secret

  • secret_version (int | None) – Optional version of key to read - can only be used in case of version 2 of KV

See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v1.html and https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.

Parameters

secret_path (str) – Path of the secret

Returns

secret stored in the vault as a dictionary

Return type

dict | None

get_secret_metadata(secret_path)[source]

Reads secret metadata (including versions) from the engine. It is only valid for KV version 2.

Parameters

secret_path (str) – Path to read from

Returns

secret metadata. This is a Dict containing metadata for the secret.

Return type

dict | None

See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.

get_secret_including_metadata(secret_path, secret_version=None)[source]

Reads secret including metadata. It is only valid for KV version 2.

See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.

Parameters
  • secret_path (str) – Path of the secret

  • secret_version (int | None) – Optional version of key to read - can only be used in case of version 2 of KV

Returns

key info. This is a Dict with “data” mapping keeping secret and “metadata” mapping keeping metadata of the secret.

Return type

dict | None

create_or_update_secret(secret_path, secret, method=None, cas=None)[source]

Creates or updates secret.

Parameters
  • secret_path (str) – Path to read from

  • secret (dict) – Secret to create or update for the path specified

  • method (str | None) – Optional parameter to explicitly request a POST (create) or PUT (update) request to the selected kv secret engine. If no argument is provided for this parameter, hvac attempts to intelligently determine which method is appropriate. Only valid for KV engine version 1

  • cas (int | None) – Set the “cas” value to use a Check-And-Set operation. If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter. Only valid for KV engine version 2.

Returns

The response of the create_or_update_secret request.

Return type

requests.Response

See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v1.html and https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.

Was this entry helpful?