airflow.providers.yandex.secrets.lockbox
¶
Objects relating to sourcing secrets from Yandex Cloud Lockbox.
Module Contents¶
Classes¶
Retrieves connections or variables or configs from Yandex Lockbox. |
- class airflow.providers.yandex.secrets.lockbox.LockboxSecretBackend(yc_oauth_token=None, yc_sa_key_json=None, yc_sa_key_json_path=None, yc_connection_id=None, folder_id='', connections_prefix='airflow/connections', variables_prefix='airflow/variables', config_prefix='airflow/config', sep='/', endpoint=None)[source]¶
Bases:
airflow.secrets.BaseSecretsBackend
,airflow.utils.log.logging_mixin.LoggingMixin
Retrieves connections or variables or configs from Yandex Lockbox.
Configurable via
airflow.cfg
like so:[secrets] backend = airflow.providers.yandex.secrets.lockbox.LockboxSecretBackend backend_kwargs = {"connections_prefix": "airflow/connections"}
For example, when
{"connections_prefix": "airflow/connections"}
is set, if a secret is defined with the pathairflow/connections/smtp_default
, the connection with conn_idsmtp_default
would be accessible.When
{"variables_prefix": "airflow/variables"}
is set, if a secret is defined with the pathairflow/variables/hello
, the variable with the namehello
would be accessible.When
{"config_prefix": "airflow/config"}
is set, if a secret is defined with the pathairflow/config/sql_alchemy_conn
, the config with keysql_alchemy_conn
would be accessible.If the prefix is empty, the requests will not be sent to Yandex Lockbox.
[secrets] backend = airflow.providers.yandex.secrets.lockbox.LockboxSecretBackend backend_kwargs = {"yc_connection_id": "<connection_ID>", "folder_id": "<folder_ID>"}
You need to specify credentials or the ID of the
yandexcloud
connection to connect to Yandex Lockbox. The credentials will be used with the following priority:OAuth token
Service account key in JSON from file
Service account key in JSON
Yandex Cloud connection
If you do not specify any credentials, the system will use the default connection ID:
yandexcloud_default
.Also, you need to specify the Yandex Cloud folder ID to search for Yandex Lockbox secrets in. If you do not specify folder ID, the requests will use the connection
folder_id
if specified.- Parameters
yc_oauth_token (str | None) – Specifies the user account OAuth token to connect to Yandex Lockbox. The parameter value should look like
y3_xx123
.yc_sa_key_json (dict | str | None) – Specifies the service account key in JSON. The parameter value should look like
{"id": "...", "service_account_id": "...", "private_key": "..."}
.yc_sa_key_json_path (str | None) – Specifies the service account key in JSON file path. The parameter value should look like
/home/airflow/authorized_key.json
, while the file content should have the following format:{"id": "...", "service_account_id": "...", "private_key": "..."}
.yc_connection_id (str | None) – Specifies the connection ID to connect to Yandex Lockbox. The default value is
yandexcloud_default
.folder_id (str) – Specifies the folder ID to search for Yandex Lockbox secrets in. If set to
None
(null
in JSON), the requests will use the connectionfolder_id
, if specified.connections_prefix (str | None) – Specifies the prefix of the secret to read to get connections. If set to
None
(null
in JSON), the requests for connections will not be sent to Yandex Lockbox. The default value isairflow/connections
.variables_prefix (str | None) – Specifies the prefix of the secret to read to get variables. If set to
None
(null
in JSON), the requests for variables will not be sent to Yandex Lockbox. The default value isairflow/variables
.config_prefix (str | None) – Specifies the prefix of the secret to read to get configurations. If set to
None
(null
in JSON), the requests for variables will not be sent to Yandex Lockbox. The default value isairflow/config
.sep (str) – Specifies the separator to concatenate
secret_prefix
andsecret_id
. The default value is/
.endpoint (str | None) – Specifies the API endpoint. If set to
None
(null
in JSON), the requests will use the connection endpoint, if specified; otherwise, they will use the default endpoint.
- get_conn_value(conn_id)[source]¶
Retrieve from Secrets Backend a string value representing the Connection object.