| :py:mod:`airflow.providers.amazon.aws.secrets.secrets_manager` |
| ============================================================== |
| |
| .. py:module:: airflow.providers.amazon.aws.secrets.secrets_manager |
| |
| .. autoapi-nested-parse:: |
| |
| Objects relating to sourcing secrets from AWS Secrets Manager |
| |
| |
| |
| Module Contents |
| --------------- |
| |
| Classes |
| ~~~~~~~ |
| |
| .. autoapisummary:: |
| |
| airflow.providers.amazon.aws.secrets.secrets_manager.SecretsManagerBackend |
| |
| |
| |
| |
| .. py:class:: SecretsManagerBackend(connections_prefix = 'airflow/connections', variables_prefix = 'airflow/variables', config_prefix = 'airflow/config', profile_name = None, sep = '/', full_url_mode = True, extra_conn_words = None, **kwargs) |
| |
| Bases: :py:obj:`airflow.secrets.BaseSecretsBackend`, :py:obj:`airflow.utils.log.logging_mixin.LoggingMixin` |
| |
| Retrieves Connection or Variables from AWS Secrets Manager |
| |
| Configurable via ``airflow.cfg`` like so: |
| |
| .. code-block:: ini |
| |
| [secrets] |
| backend = airflow.providers.amazon.aws.secrets.secrets_manager.SecretsManagerBackend |
| backend_kwargs = {"connections_prefix": "airflow/connections"} |
| |
| For example, if secrets prefix is ``airflow/connections/smtp_default``, this would be accessible |
| if you provide ``{"connections_prefix": "airflow/connections"}`` and request conn_id ``smtp_default``. |
| If variables prefix is ``airflow/variables/hello``, this would be accessible |
| if you provide ``{"variables_prefix": "airflow/variables"}`` and request variable key ``hello``. |
| And if config_prefix is ``airflow/config/sql_alchemy_conn``, this would be accessible |
| if you provide ``{"config_prefix": "airflow/config"}`` and request config |
| key ``sql_alchemy_conn``. |
| |
| You can also pass additional keyword arguments like ``aws_secret_access_key``, ``aws_access_key_id`` |
| or ``region_name`` to this class and they would be passed on to Boto3 client. |
| |
| There are two ways of storing secrets in Secret Manager for using them with this operator: |
| storing them as a conn URI in one field, or taking advantage of native approach of Secrets Manager |
| and storing them in multiple fields. There are certain words that will be searched in the name |
| of fields for trying to retrieve a connection part. Those words are: |
| |
| .. code-block:: python |
| |
| possible_words_for_conn_fields = { |
| "user": ["user", "username", "login", "user_name"], |
| "password": ["password", "pass", "key"], |
| "host": ["host", "remote_host", "server"], |
| "port": ["port"], |
| "schema": ["database", "schema"], |
| "conn_type": ["conn_type", "conn_id", "connection_type", "engine"], |
| } |
| |
| However, these lists can be extended using the configuration parameter ``extra_conn_words``. Also, |
| you can have a field named extra for extra parameters for the conn. Please note that this extra field |
| must be a valid JSON. |
| |
| :param connections_prefix: Specifies the prefix of the secret to read to get Connections. |
| If set to None (null value in the configuration), requests for connections will not be |
| sent to AWS Secrets Manager. If you don't want a connections_prefix, set it as an empty string |
| :param variables_prefix: Specifies the prefix of the secret to read to get Variables. |
| If set to None (null value in the configuration), requests for variables will not be sent to |
| AWS Secrets Manager. If you don't want a variables_prefix, set it as an empty string |
| :param config_prefix: Specifies the prefix of the secret to read to get Configurations. |
| If set to None (null value in the configuration), requests for configurations will not be sent to |
| AWS Secrets Manager. If you don't want a config_prefix, set it as an empty string |
| :param profile_name: The name of a profile to use. If not given, then the default profile is used. |
| :param sep: separator used to concatenate secret_prefix and secret_id. Default: "/" |
| :param full_url_mode: if True, the secrets must be stored as one conn URI in just one field per secret. |
| If False (set it as false in backend_kwargs), you can store the secret using different |
| fields (password, user...). |
| :param extra_conn_words: for using just when you set full_url_mode as false and store |
| the secrets in different fields of secrets manager. You can add more words for each connection |
| part beyond the default ones. The extra words to be searched should be passed as a dict of lists, |
| each list corresponding to a connection part. The optional keys of the dict must be: user, |
| password, host, schema, conn_type. |
| |
| .. py:method:: client(self) |
| |
| Create a Secrets Manager client |
| |
| |
| .. py:method:: get_uri_from_secret(self, secret) |
| |
| |
| .. py:method:: get_conn_value(self, conn_id) |
| |
| Get serialized representation of Connection |
| |
| :param conn_id: connection id |
| |
| |
| .. py:method:: get_conn_uri(self, conn_id) |
| |
| Return URI representation of Connection conn_id. |
| |
| As of Airflow version 2.3.0 this method is deprecated. |
| |
| :param conn_id: the connection id |
| :return: deserialized Connection |
| |
| |
| .. py:method:: get_variable(self, key) |
| |
| Get Airflow Variable from Environment Variable |
| :param key: Variable Key |
| :return: Variable Value |
| |
| |
| .. py:method:: get_config(self, key) |
| |
| Get Airflow Configuration |
| :param key: Configuration Option Key |
| :return: Configuration Option Value |
| |
| |
| |