airflow.providers.microsoft.azure.secrets.key_vault
¶
This module contains Azure Key Vault Backend.
Module Contents¶
Classes¶
Retrieves Airflow Connections or Variables from Azure Key Vault secrets. |
- class airflow.providers.microsoft.azure.secrets.key_vault.AzureKeyVaultBackend(connections_prefix='airflow-connections', variables_prefix='airflow-variables', config_prefix='airflow-config', vault_url='', sep='-', *, tenant_id='', client_id='', client_secret='', managed_identity_client_id='', workload_identity_tenant_id='', **kwargs)[source]¶
Bases:
airflow.secrets.BaseSecretsBackend
,airflow.utils.log.logging_mixin.LoggingMixin
Retrieves Airflow Connections or Variables from Azure Key Vault secrets.
The Azure Key Vault can be configured as a secrets backend in the
airflow.cfg
:[secrets] backend = airflow.providers.microsoft.azure.secrets.key_vault.AzureKeyVaultBackend backend_kwargs = {"connections_prefix": "airflow-connections", "vault_url": "<azure_key_vault_uri>"}
For example, if the secrets prefix is
airflow-connections-smtp-default
, this would be accessible if you provide{"connections_prefix": "airflow-connections"}
and request conn_idsmtp-default
. And if variables prefix isairflow-variables-hello
, this would be accessible if you provide{"variables_prefix": "airflow-variables"}
and request variable keyhello
.For client authentication, the
DefaultAzureCredential
from the Azure Python SDK is used as credential provider, which supports service principal, managed identity and user credentialsFor example, to specify a service principal with secret you can set the environment variables
AZURE_TENANT_ID
,AZURE_CLIENT_ID
andAZURE_CLIENT_SECRET
.See also
For more details on client authentication refer to the
DefaultAzureCredential
Class reference: https://docs.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python- Parameters
connections_prefix (str) – Specifies the prefix of the secret to read to get Connections If set to None (null), requests for connections will not be sent to Azure Key Vault
variables_prefix (str) – Specifies the prefix of the secret to read to get Variables If set to None (null), requests for variables will not be sent to Azure Key Vault
config_prefix (str) – Specifies the prefix of the secret to read to get Variables. If set to None (null), requests for configurations will not be sent to Azure Key Vault
vault_url (str) – The URL of an Azure Key Vault to use
sep (str) – separator used to concatenate secret_prefix and secret_id. Default: “-“
tenant_id (str) – The tenant id of an Azure Key Vault to use. If not given, it falls back to
DefaultAzureCredential
client_id (str) – The client id of an Azure Key Vault to use. If not given, it falls back to
DefaultAzureCredential
managed_identity_client_id (str) – The client ID of a user-assigned managed identity. If provided with workload_identity_tenant_id, they’ll pass to
DefaultAzureCredential
.workload_identity_tenant_id (str) – ID of the application’s Microsoft Entra tenant. Also called its “directory” ID. If provided with managed_identity_client_id, they’ll pass to
DefaultAzureCredential
.
- get_conn_value(conn_id)[source]¶
Get a serialized representation of Airflow Connection from an Azure Key Vault secret.
- Parameters
conn_id (str) – The Airflow connection id to retrieve
- static build_path(path_prefix, secret_id, sep='-')[source]¶
Given a path_prefix and secret_id, build a valid secret name for the Azure Key Vault Backend.
Also replaces underscore in the path with dashes to support easy switching between environment variables, so
connection_default
becomesconnection-default
.