airflow.providers.google.cloud.secrets.secret_manager
¶
Objects relating to sourcing connections from Google Cloud Secrets Manager.
Module Contents¶
Classes¶
Retrieves Connection object from Google Cloud Secrets Manager. |
Attributes¶
- airflow.providers.google.cloud.secrets.secret_manager.SECRET_ID_PATTERN = '^[a-zA-Z0-9-_]*$'[source]¶
- class airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend(connections_prefix='airflow-connections', variables_prefix='airflow-variables', config_prefix='airflow-config', gcp_keyfile_dict=None, gcp_key_path=None, gcp_credential_config_file=None, gcp_scopes=None, project_id=PROVIDE_PROJECT_ID, sep='-', impersonation_chain=None, **kwargs)[source]¶
Bases:
airflow.secrets.BaseSecretsBackend
,airflow.utils.log.logging_mixin.LoggingMixin
Retrieves Connection object from Google Cloud Secrets Manager.
Configurable via
airflow.cfg
as follows:[secrets] backend = airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend backend_kwargs = {"connections_prefix": "airflow-connections", "sep": "-"}
For example, if the Secrets Manager secret id is
airflow-connections-smtp_default
, this would be accessible if you provide{"connections_prefix": "airflow-connections", "sep": "-"}
and request conn_idsmtp_default
.If the Secrets Manager secret id is
airflow-variables-hello
, this would be accessible if you provide{"variables_prefix": "airflow-variables", "sep": "-"}
and request Variable Keyhello
.The full secret id should follow the pattern “[a-zA-Z0-9-_]”.
- Parameters
connections_prefix (str) – Specifies the prefix of the secret to read to get Connections. If set to None (null), requests for connections will not be sent to GCP Secrets Manager
variables_prefix (str) – Specifies the prefix of the secret to read to get Variables. If set to None (null), requests for variables will not be sent to GCP Secrets Manager
config_prefix (str) – Specifies the prefix of the secret to read to get Airflow Configurations containing secrets. If set to None (null), requests for configurations will not be sent to GCP Secrets Manager
gcp_key_path (str | None) – Path to Google Cloud Service Account key file (JSON). Mutually exclusive with gcp_keyfile_dict. use default credentials in the current environment if not provided.
gcp_keyfile_dict (dict | None) – Dictionary of keyfile parameters. Mutually exclusive with gcp_key_path.
gcp_credential_config_file (dict[str, str] | str | None) – File path to or content of a GCP credential configuration file.
gcp_scopes (str | None) – Comma-separated string containing OAuth2 scopes
project_id (str) – Project ID to read the secrets from. If not passed, the project ID from credentials will be used.
sep (str) – Separator used to concatenate connections_prefix and conn_id. Default: “-“
impersonation_chain (str | collections.abc.Sequence[str] | None) – Optional service account to impersonate using short-term credentials, or chained list of accounts required to get the access token of the last account in the list, which will be impersonated in the request. If set as a string, the account must grant the originating account the Service Account Token Creator IAM role. If set as a sequence, the identities from the list must grant Service Account Token Creator IAM role to the directly preceding identity, with first account from the list granting this role to the originating account.
- property client: airflow.providers.google.cloud._internal_client.secret_manager_client._SecretManagerClient[source]¶
Property returning secret client.
- Returns
Secrets client
- Return type
airflow.providers.google.cloud._internal_client.secret_manager_client._SecretManagerClient
- get_conn_value(conn_id)[source]¶
Get serialized representation of Connection.
- Parameters
conn_id (str) – connection id