airflow.providers.yandex.secrets.lockbox

Objects relating to sourcing secrets from Yandex Cloud Lockbox.

Module Contents

Classes

LockboxSecretBackend

Retrieves connections or variables or configs from Yandex Lockbox.

class airflow.providers.yandex.secrets.lockbox.LockboxSecretBackend(yc_oauth_token=None, yc_sa_key_json=None, yc_sa_key_json_path=None, yc_connection_id=None, folder_id='', connections_prefix='airflow/connections', variables_prefix='airflow/variables', config_prefix='airflow/config', sep='/', endpoint=None)[source]

Bases: airflow.secrets.BaseSecretsBackend, airflow.utils.log.logging_mixin.LoggingMixin

Retrieves connections or variables or configs from Yandex Lockbox.

Configurable via airflow.cfg like so:

[secrets]
backend = airflow.providers.yandex.secrets.lockbox.LockboxSecretBackend
backend_kwargs = {"connections_prefix": "airflow/connections"}

For example, when {"connections_prefix": "airflow/connections"} is set, if a secret is defined with the path airflow/connections/smtp_default, the connection with conn_id smtp_default would be accessible.

When {"variables_prefix": "airflow/variables"} is set, if a secret is defined with the path airflow/variables/hello, the variable with the name hello would be accessible.

When {"config_prefix": "airflow/config"} is set, if a secret is defined with the path airflow/config/sql_alchemy_conn, the config with key sql_alchemy_conn would be accessible.

If the prefix is empty, the requests will not be sent to Yandex Lockbox.

[secrets]
backend = airflow.providers.yandex.secrets.lockbox.LockboxSecretBackend
backend_kwargs = {"yc_connection_id": "<connection_ID>", "folder_id": "<folder_ID>"}

You need to specify credentials or the ID of the yandexcloud connection to connect to Yandex Lockbox. The credentials will be used with the following priority:

  • OAuth token

  • Service account key in JSON from file

  • Service account key in JSON

  • Yandex Cloud connection

If you do not specify any credentials, the system will use the default connection ID:yandexcloud_default.

Also, you need to specify the Yandex Cloud folder ID to search for Yandex Lockbox secrets in. If you do not specify folder ID, the requests will use the connection folder_id if specified.

Parameters
  • yc_oauth_token (str | None) – Specifies the user account OAuth token to connect to Yandex Lockbox. The parameter value should look like y3_xx123.

  • yc_sa_key_json (dict | str | None) – Specifies the service account key in JSON. The parameter value should look like {"id": "...", "service_account_id": "...", "private_key": "..."}.

  • yc_sa_key_json_path (str | None) – Specifies the service account key in JSON file path. The parameter value should look like /home/airflow/authorized_key.json, while the file content should have the following format: {"id": "...", "service_account_id": "...", "private_key": "..."}.

  • yc_connection_id (str | None) – Specifies the connection ID to connect to Yandex Lockbox. The default value is yandexcloud_default.

  • folder_id (str) – Specifies the folder ID to search for Yandex Lockbox secrets in. If set to None (null in JSON), the requests will use the connection folder_id, if specified.

  • connections_prefix (str | None) – Specifies the prefix of the secret to read to get connections. If set to None (null in JSON), the requests for connections will not be sent to Yandex Lockbox. The default value is airflow/connections.

  • variables_prefix (str | None) – Specifies the prefix of the secret to read to get variables. If set to None (null in JSON), the requests for variables will not be sent to Yandex Lockbox. The default value is airflow/variables.

  • config_prefix (str | None) – Specifies the prefix of the secret to read to get configurations. If set to None (null in JSON), the requests for variables will not be sent to Yandex Lockbox. The default value is airflow/config.

  • sep (str) – Specifies the separator to concatenate secret_prefix and secret_id. The default value is /.

  • endpoint (str | None) – Specifies the API endpoint. If set to None (null in JSON), the requests will use the connection endpoint, if specified; otherwise, they will use the default endpoint.

get_conn_value(conn_id)[source]

Retrieve from Secrets Backend a string value representing the Connection object.

Parameters

conn_id (str) – Connection ID

Returns

Connection Value

Return type

str | None

get_variable(key)[source]

Return value for Airflow Variable.

Parameters

key (str) – Variable Key

Returns

Variable Value

Return type

str | None

get_config(key)[source]

Return value for Airflow Config Key.

Parameters

key (str) – Config Key

Returns

Config Value

Return type

str | None

Was this entry helpful?