Objects relating to sourcing connections & variables from Hashicorp Vault

Module Contents

class airflow.contrib.secrets.hashicorp_vault.VaultBackend(connections_path='connections', variables_path='variables', url=None, auth_type='token', mount_point='secret', kv_engine_version=2, token=None, username=None, password=None, role_id=None, kubernetes_role=None, kubernetes_jwt_path='/var/run/secrets/', secret_id=None, gcp_key_path=None, gcp_scopes=None, **kwargs)[source]

Bases: airflow.secrets.BaseSecretsBackend, airflow.utils.log.logging_mixin.LoggingMixin

Retrieves Connections and Variables from Hashicorp Vault

Configurable via airflow.cfg as follows:

backend = airflow.contrib.secrets.hashicorp_vault.VaultBackend
backend_kwargs = {
    "connections_path": "connections",
    "url": "",
    "mount_point": "airflow"

For example, if your keys are under connections path in airflow mount_point, this would be accessible if you provide {"connections_path": "connections"} and request conn_id smtp_default.

  • connections_path (str) – Specifies the path of the secret to read to get Connections. (default: ‘connections’)

  • variables_path (str) – Specifies the path of the secret to read to get Variables. (default: ‘variables’)

  • url (str) – Base URL for the Vault instance being addressed.

  • auth_type (str) – Authentication Type for Vault (one of ‘token’, ‘ldap’, ‘userpass’, ‘approle’, ‘github’, ‘gcp’, ‘kubernetes’). Default is token.

  • mount_point (str) – The “path” the secret engine was mounted on. (Default: secret)

  • token (str) – Authentication token to include in requests sent to Vault. (for token and github auth_type)

  • kv_engine_version (int) – Select the version of the engine to run (1 or 2, default: 2)

  • username (str) – Username for Authentication (for ldap and userpass auth_type)

  • password (str) – Password for Authentication (for ldap and userpass auth_type)

  • role_id (str) – Role ID for Authentication (for approle auth_type)

  • kubernetes_role (str) – Role for Authentication (for kubernetes auth_type)

  • kubernetes_jwt_path (str) – Path for kubernetes jwt token (for kubernetes auth_type, deafult: /var/run/secrets/

  • secret_id (str) – Secret ID for Authentication (for approle auth_type)

  • gcp_key_path (str) – Path to GCP Credential JSON file (for gcp auth_type)

  • gcp_scopes (str) – Comma-separated string containing GCP scopes (for gcp auth_type)


Return an authenticated Hashicorp Vault client

get_conn_uri(self, conn_id)[source]

Get secret value from Vault. Store the secret in the form of URI


conn_id (str) – connection id

get_variable(self, key)[source]

Get Airflow Variable from Environment Variable


key – Variable Key


Variable Value

_get_secret(self, path_prefix, secret_id)[source]

Get secret value from Vault.

  • path_prefix (str) – Prefix for the Path to get Secret

  • secret_id (str) – Secret Key

Was this entry helpful?