Azure Key Vault Backend¶
To enable the Azure Key Vault as secrets backend, specify
AzureKeyVaultBackend
as the backend in [secrets] section of airflow.cfg.
Here is a sample configuration:
[secrets]
backend = airflow.providers.microsoft.azure.secrets.azure_key_vault.AzureKeyVaultBackend
backend_kwargs = {"connections_prefix": "airflow-connections", "variables_prefix": "airflow-variables", "vault_url": "https://example-akv-resource-name.vault.azure.net/"}
For client authentication, the DefaultAzureCredential from the Azure Python SDK is used as credential provider,
which supports service principal, managed identity and user credentials.
Optional lookup¶
Optionally connections, variables, or config may be looked up exclusive of each other or in any combination. This will prevent requests being sent to Azure Key Vault for the excluded type.
If you want to look up some and not others in Azure Key Vault you may do so by setting the relevant *_prefix parameter of the ones to be excluded as null.
For example, if you want to set parameter connections_prefix to "airflow-connections" and not look up variables, your configuration file should look like this:
[secrets]
backend = airflow.providers.microsoft.azure.secrets.azure_key_vault.AzureKeyVaultBackend
backend_kwargs = {"connections_prefix": "airflow-connections", "variables_prefix": null, "vault_url": "https://example-akv-resource-name.vault.azure.net/"}
Storing and Retrieving Connections¶
If you have set connections_prefix as airflow-connections, then for a connection id of smtp_default,
you would want to store your connection at airflow-connections-smtp-default.
The value of the secret must be the connection URI representation of the connection object.
Storing and Retrieving Variables¶
If you have set variables_prefix as airflow-variables, then for an Variable key of hello,
you would want to store your Variable at airflow-variables-hello.