airflow.providers.hashicorp.secrets.vault¶
Objects relating to sourcing connections & variables from Hashicorp Vault.
Classes¶
Retrieves Connections and Variables from Hashicorp Vault. |
Module Contents¶
- class airflow.providers.hashicorp.secrets.vault.VaultBackend(connections_path='connections', variables_path='variables', config_path='config', url=None, auth_type='token', auth_mount_point=None, mount_point='secret', kv_engine_version=2, token=None, token_path=None, username=None, password=None, key_id=None, secret_id=None, role_id=None, assume_role_kwargs=None, region=None, kubernetes_role=None, kubernetes_jwt_path='/var/run/secrets/kubernetes.io/serviceaccount/token', gcp_key_path=None, gcp_keyfile_dict=None, gcp_scopes=None, azure_tenant_id=None, azure_resource=None, radius_host=None, radius_secret=None, radius_port=None, jwt_role=None, jwt_token=None, jwt_token_path=None, **kwargs)[source]¶
Bases:
airflow.secrets.BaseSecretsBackend,airflow.utils.log.logging_mixin.LoggingMixinRetrieves Connections and Variables from Hashicorp Vault.
Configurable via
airflow.cfgas follows:[secrets] backend = airflow.providers.hashicorp.secrets.vault.VaultBackend backend_kwargs = { "connections_path": "connections", "url": "http://127.0.0.1:8200", "mount_point": "airflow" }
For example, if your keys are under
connectionspath inairflowmount_point, this would be accessible if you provide{"connections_path": "connections"}and request conn_idsmtp_default.- Parameters:
connections_path (str | None) – Specifies the path of the secret to read to get Connections. (default: ‘connections’). If set to None (null), requests for connections will not be sent to Vault.
variables_path (str | None) – Specifies the path of the secret to read to get Variable. (default: ‘variables’). If set to None (null), requests for variables will not be sent to Vault.
config_path (str | None) – Specifies the path of the secret to read Airflow Configurations (default: ‘config’). If set to None (null), requests for configurations will not be sent to Vault.
url (str | None) – Base URL for the Vault instance being addressed.
auth_type (str) – Authentication Type for Vault. Default is
token. Available values are: (‘approle’, ‘aws_iam’, ‘azure’, ‘github’, ‘gcp’, ‘jwt’, ‘kubernetes’, ‘ldap’, ‘radius’, ‘token’, ‘userpass’)auth_mount_point (str | None) – It can be used to define mount_point for authentication chosen Default depends on the authentication method used.
mount_point (str | None) – The “path” the secret engine was mounted on. Default is “secret”. Note that this mount_point is not used for authentication if authentication is done via a different engine. If set to None, the mount secret should be provided as a prefix for each variable/connection_id. For authentication mount_points see, auth_mount_point.
kv_engine_version (int) – Select the version of the engine to run (
1or2, default:2).token (str | None) – Authentication token to include in requests sent to Vault. (for
tokenandgithubauth_type)token_path (str | None) – path to file containing authentication token to include in requests sent to Vault (for
tokenandgithubauth_type).username (str | None) – Username for Authentication (for
ldapanduserpassauth_type).password (str | None) – Password for Authentication (for
ldapanduserpassauth_type).key_id (str | None) – Key ID for Authentication (for
aws_iamand ‘’azure`` auth_type).secret_id (str | None) – Secret ID for Authentication (for
approle,aws_iamandazureauth_types).role_id (str | None) – Role ID for Authentication (for
approle,aws_iamauth_types).assume_role_kwargs (dict | None) – AWS assume role param. See AWS STS Docs: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts/client/assume_role.html
region (str | None) – AWS region for STS API calls (for
aws_iamauth_type).kubernetes_role (str | None) – Role for Authentication (for
kubernetesauth_type).kubernetes_jwt_path (str) – Path for kubernetes jwt token (for
kubernetesauth_type, default:/var/run/secrets/kubernetes.io/serviceaccount/token).gcp_key_path (str | None) – Path to Google Cloud Service Account key file (JSON) (for
gcpauth_type). Mutually exclusive with gcp_keyfile_dict.gcp_keyfile_dict (dict | None) – Dictionary of keyfile parameters. (for
gcpauth_type). Mutually exclusive with gcp_key_path.gcp_scopes (str | None) – Comma-separated string containing OAuth2 scopes (for
gcpauth_type).azure_tenant_id (str | None) – The tenant id for the Azure Active Directory (for
azureauth_type).azure_resource (str | None) – The configured URL for the application registered in Azure Active Directory (for
azureauth_type).radius_host (str | None) – Host for radius (for
radiusauth_type).radius_secret (str | None) – Secret for radius (for
radiusauth_type).radius_port (int | None) – Port for radius (for
radiusauth_type).jwt_role (str | None) – Role for Authentication (for
jwtauth_type).jwt_token (str | None) – JWT token for Authentication (for
jwtauth_type).jwt_token_path (str | None) – Path to file containing JWT token for Authentication (for
jwtauth_type).
- get_response(conn_id)[source]¶
Get data from Vault.
- Returns:
The data from the Vault path if exists
- Return type:
dict | None
- get_connection(conn_id, team_name=None)[source]¶
Get connection from Vault as secret.
Prioritize conn_uri if exists, if not fall back to normal Connection creation.
- Returns:
A Connection object constructed from Vault data
- Return type:
airflow.models.connection.Connection | None