airflow.providers.yandex.secrets.lockbox¶
Objects relating to sourcing secrets from Yandex Cloud Lockbox.
Module Contents¶
Classes¶
Retrieves Connection or Variables or Configs from Yandex Lockbox. |
- class airflow.providers.yandex.secrets.lockbox.LockboxSecretBackend(yc_oauth_token=None, yc_sa_key_json=None, yc_sa_key_json_path=None, yc_connection_id=None, folder_id='', connections_prefix='airflow/connections', variables_prefix='airflow/variables', config_prefix='airflow/config', sep='/', endpoint=None)[source]¶
Bases:
airflow.secrets.BaseSecretsBackend,airflow.utils.log.logging_mixin.LoggingMixinRetrieves Connection or Variables or Configs from Yandex Lockbox.
Configurable via
airflow.cfglike so:[secrets] backend = airflow.providers.yandex.secrets.lockbox.LockboxSecretBackend backend_kwargs = {"connections_prefix": "airflow/connections"}
For example, when
{"connections_prefix": "airflow/connections"}is set, if a secret is defined with the pathairflow/connections/smtp_default, the connection with conn_idsmtp_defaultwould be accessible.When
{"variables_prefix": "airflow/variables"}is set, if a secret is defined with the pathairflow/variables/hello, the variable with the namehellowould be accessible.When
{"config_prefix": "airflow/config"}is set, if a secret is defined with the pathairflow/config/sql_alchemy_conn, the config with keysql_alchemy_connwould be accessible.When the prefix is empty, keys will use the Lockbox Secrets without any prefix.
[secrets] backend = airflow.providers.yandex.secrets.lockbox.LockboxSecretBackend backend_kwargs = {"yc_connection_id": "<connection_ID>", "folder_id": "<folder_ID>"}
You need to specify credentials or id of yandexcloud connection to connect to Yandex Lockbox with. Credentials will be used with this priority:
OAuth Token
Service Account JSON file
Service Account JSON
Yandex Cloud Connection
If no credentials specified, default connection id will be used.
Also, you need to specify the Yandex Cloud folder ID to search for Yandex Lockbox secrets in.
- Parameters
yc_oauth_token (str | None) – Specifies the user account OAuth token to connect to Yandex Lockbox with. Looks like
y3_xxxxx.yc_sa_key_json (dict | str | None) – Specifies the service account auth JSON. Looks like
{"id": "...", "service_account_id": "...", "private_key": "..."}.yc_sa_key_json_path (str | None) – Specifies the service account auth JSON file path. Looks like
/home/airflow/authorized_key.json. File content looks like{"id": "...", "service_account_id": "...", "private_key": "..."}.yc_connection_id (str | None) – Specifies the connection ID to connect to Yandex Lockbox with. Default: “yandexcloud_default”
folder_id (str) – Specifies the folder ID to search for Yandex Lockbox secrets in. If set to None (null in JSON), requests will use the connection folder_id if specified.
connections_prefix (str | None) – Specifies the prefix of the secret to read to get Connections. If set to None (null in JSON), requests for connections will not be sent to Yandex Lockbox. Default: “airflow/connections”
variables_prefix (str | None) – Specifies the prefix of the secret to read to get Variables. If set to None (null in JSON), requests for variables will not be sent to Yandex Lockbox. Default: “airflow/variables”
config_prefix (str | None) – Specifies the prefix of the secret to read to get Configurations. If set to None (null in JSON), requests for variables will not be sent to Yandex Lockbox. Default: “airflow/config”
sep (str) – Specifies the separator used to concatenate secret_prefix and secret_id. Default: “/”
endpoint (str | None) – Specifies an API endpoint. Leave blank to use default.
- get_conn_value(conn_id)[source]¶
Retrieve from Secrets Backend a string value representing the Connection object.