docs-archive/apache-airflow-providers-hashicorp/3.0.0/_sources/_api/airflow/providers/hashicorp/hooks/vault/index.rst.txt - airflow-site - Git at Google

 :py:mod:`airflow.providers.hashicorp.hooks.vault`
 =================================================

 .. py:module:: airflow.providers.hashicorp.hooks.vault

 .. autoapi-nested-parse::

    Hook for HashiCorp Vault


 Module Contents
 ---------------

 Classes
 ~~~~~~~

 .. autoapisummary::

    airflow.providers.hashicorp.hooks.vault.VaultHook


 .. py:class:: VaultHook(vault_conn_id = default_conn_name, auth_type = None, auth_mount_point = None, kv_engine_version = None, role_id = None, kubernetes_role = None, kubernetes_jwt_path = None, token_path = None, gcp_key_path = None, gcp_scopes = None, azure_tenant_id = None, azure_resource = None, radius_host = None, radius_port = None)

    Bases: :py:obj:`airflow.hooks.base.BaseHook`

    Hook to Interact with HashiCorp Vault KeyValue Secret engine.

    HashiCorp hvac documentation:
       * https://hvac.readthedocs.io/en/stable/

    You connect to the host specified as host in the connection. The login/password from the connection
    are used as credentials usually and you can specify different authentication parameters
    via init params or via corresponding extras in the connection.

    The mount point should be placed as a path in the URL - similarly to Vault's URL schema:
    This indicates the "path" the secret engine is mounted on. Default id not specified is "secret".
    Note that this ``mount_point`` is not used for authentication if authentication is done via a
    different engines. Each engine uses it's own engine-specific authentication mount_point.

    The extras in the connection are named the same as the parameters ('kv_engine_version', 'auth_type', ...).

    You can also use gcp_keyfile_dict extra to pass json-formatted dict in case of 'gcp' authentication.

    The URL schemas supported are "vault", "http" (using http to connect to the vault) or
    "vaults" and "https" (using https to connect to the vault).

    Example URL:

    .. code-block::

        vault://user:password@host:port/mount_point?kv_engine_version=1&auth_type=github


    Login/Password are used as credentials:

        * approle: login -> role_id,  password -> secret_id
        * github: password -> token
        * token: password -> token
        * aws_iam: login -> key_id, password -> secret_id
        * azure: login -> client_id, password -> client_secret
        * ldap: login -> username,   password -> password
        * userpass: login -> username, password -> password
        * radius: password -> radius_secret

    :param vault_conn_id: The id of the connection to use
    :param auth_type: Authentication Type for the Vault. Default is ``token``. Available values are:
        ('approle', 'github', 'gcp', 'kubernetes', 'ldap', 'token', 'userpass')
    :param auth_mount_point: It can be used to define mount_point for authentication chosen
          Default depends on the authentication method used.
    :param kv_engine_version: Select the version of the engine to run (``1`` or ``2``). Defaults to
          version defined in connection or ``2`` if not defined in connection.
    :param role_id: Role ID for ``aws_iam`` Authentication.
    :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type)
    :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default:
        ``/var/run/secrets/kubernetes.io/serviceaccount/token``)
    :param token_path: path to file containing authentication token to include in requests sent to Vault
        (for ``token`` and ``github`` auth_type).
    :param gcp_key_path: Path to Google Cloud Service Account key file (JSON) (for ``gcp`` auth_type)
           Mutually exclusive with gcp_keyfile_dict
    :param gcp_scopes: Comma-separated string containing OAuth2  scopes (for ``gcp`` auth_type)
    :param azure_tenant_id: The tenant id for the Azure Active Directory (for ``azure`` auth_type)
    :param azure_resource: The configured URL for the application registered in Azure Active Directory
           (for ``azure`` auth_type)
    :param radius_host: Host for radius (for ``radius`` auth_type)
    :param radius_port: Port for radius (for ``radius`` auth_type)


    .. py:attribute:: conn_name_attr
       :annotation: = vault_conn_id


    .. py:attribute:: default_conn_name
       :annotation: = vault_default


    .. py:attribute:: conn_type
       :annotation: = vault


    .. py:attribute:: hook_name
       :annotation: = Hashicorp Vault


    .. py:method:: get_conn(self)

       Retrieves connection to Vault.

       :rtype: hvac.Client
       :return: connection used.


    .. py:method:: get_secret(self, secret_path, secret_version = None)

       Get secret value from the engine.

       :param secret_path: Path of the secret
       :param secret_version: Optional version of key to read - can only be used in case of version 2 of KV

       See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v1.html
       and https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.

       :param secret_path: Path of the secret
       :rtype: dict
       :return: secret stored in the vault as a dictionary


    .. py:method:: get_secret_metadata(self, secret_path)

       Reads secret metadata (including versions) from the engine. It is only valid for KV version 2.

       :param secret_path: Path to read from
       :rtype: dict
       :return: secret metadata. This is a Dict containing metadata for the secret.

       See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.


    .. py:method:: get_secret_including_metadata(self, secret_path, secret_version = None)

       Reads secret including metadata. It is only valid for KV version 2.

       See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.

       :param secret_path: Path of the secret
       :param secret_version: Optional version of key to read - can only be used in case of version 2 of KV
       :rtype: dict
       :return: key info. This is a Dict with "data" mapping keeping secret
           and "metadata" mapping keeping metadata of the secret.


    .. py:method:: create_or_update_secret(self, secret_path, secret, method = None, cas = None)

       Creates or updates secret.

       :param secret_path: Path to read from
       :param secret: Secret to create or update for the path specified
       :param method: Optional parameter to explicitly request a POST (create) or PUT (update) request to
           the selected kv secret engine. If no argument is provided for this parameter, hvac attempts to
           intelligently determine which method is appropriate. Only valid for KV engine version 1
       :param cas: Set the "cas" value to use a Check-And-Set operation. If not set the write will be
           allowed. If set to 0 a write will only be allowed if the key doesn't exist.
           If the index is non-zero the write will only be allowed if the key's current version
           matches the version specified in the cas parameter. Only valid for KV engine version 2.
       :rtype: requests.Response
       :return: The response of the create_or_update_secret request.

       See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v1.html
       and https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.
	:py:mod:`airflow.providers.hashicorp.hooks.vault`
	=================================================

	.. py:module:: airflow.providers.hashicorp.hooks.vault

	.. autoapi-nested-parse::

	Hook for HashiCorp Vault



	Module Contents
	---------------

	Classes
	~~~~~~~

	.. autoapisummary::

	airflow.providers.hashicorp.hooks.vault.VaultHook




	.. py:class:: VaultHook(vault_conn_id = default_conn_name, auth_type = None, auth_mount_point = None, kv_engine_version = None, role_id = None, kubernetes_role = None, kubernetes_jwt_path = None, token_path = None, gcp_key_path = None, gcp_scopes = None, azure_tenant_id = None, azure_resource = None, radius_host = None, radius_port = None)

	Bases: :py:obj:`airflow.hooks.base.BaseHook`

	Hook to Interact with HashiCorp Vault KeyValue Secret engine.

	HashiCorp hvac documentation:
	* https://hvac.readthedocs.io/en/stable/

	You connect to the host specified as host in the connection. The login/password from the connection
	are used as credentials usually and you can specify different authentication parameters
	via init params or via corresponding extras in the connection.

	The mount point should be placed as a path in the URL - similarly to Vault's URL schema:
	This indicates the "path" the secret engine is mounted on. Default id not specified is "secret".
	Note that this ``mount_point`` is not used for authentication if authentication is done via a
	different engines. Each engine uses it's own engine-specific authentication mount_point.

	The extras in the connection are named the same as the parameters ('kv_engine_version', 'auth_type', ...).

	You can also use gcp_keyfile_dict extra to pass json-formatted dict in case of 'gcp' authentication.

	The URL schemas supported are "vault", "http" (using http to connect to the vault) or
	"vaults" and "https" (using https to connect to the vault).

	Example URL:

	.. code-block::

	vault://user:password@host:port/mount_point?kv_engine_version=1&auth_type=github


	Login/Password are used as credentials:

	* approle: login -> role_id, password -> secret_id
	* github: password -> token
	* token: password -> token
	* aws_iam: login -> key_id, password -> secret_id
	* azure: login -> client_id, password -> client_secret
	* ldap: login -> username, password -> password
	* userpass: login -> username, password -> password
	* radius: password -> radius_secret

	:param vault_conn_id: The id of the connection to use
	:param auth_type: Authentication Type for the Vault. Default is ``token``. Available values are:
	('approle', 'github', 'gcp', 'kubernetes', 'ldap', 'token', 'userpass')
	:param auth_mount_point: It can be used to define mount_point for authentication chosen
	Default depends on the authentication method used.
	:param kv_engine_version: Select the version of the engine to run (``1`` or ``2``). Defaults to
	version defined in connection or ``2`` if not defined in connection.
	:param role_id: Role ID for ``aws_iam`` Authentication.
	:param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type)
	:param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default:
	``/var/run/secrets/kubernetes.io/serviceaccount/token``)
	:param token_path: path to file containing authentication token to include in requests sent to Vault
	(for ``token`` and ``github`` auth_type).
	:param gcp_key_path: Path to Google Cloud Service Account key file (JSON) (for ``gcp`` auth_type)
	Mutually exclusive with gcp_keyfile_dict
	:param gcp_scopes: Comma-separated string containing OAuth2 scopes (for ``gcp`` auth_type)
	:param azure_tenant_id: The tenant id for the Azure Active Directory (for ``azure`` auth_type)
	:param azure_resource: The configured URL for the application registered in Azure Active Directory
	(for ``azure`` auth_type)
	:param radius_host: Host for radius (for ``radius`` auth_type)
	:param radius_port: Port for radius (for ``radius`` auth_type)


	.. py:attribute:: conn_name_attr
	:annotation: = vault_conn_id



	.. py:attribute:: default_conn_name
	:annotation: = vault_default



	.. py:attribute:: conn_type
	:annotation: = vault



	.. py:attribute:: hook_name
	:annotation: = Hashicorp Vault



	.. py:method:: get_conn(self)

	Retrieves connection to Vault.

	:rtype: hvac.Client
	:return: connection used.


	.. py:method:: get_secret(self, secret_path, secret_version = None)

	Get secret value from the engine.

	:param secret_path: Path of the secret
	:param secret_version: Optional version of key to read - can only be used in case of version 2 of KV

	See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v1.html
	and https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.

	:param secret_path: Path of the secret
	:rtype: dict
	:return: secret stored in the vault as a dictionary


	.. py:method:: get_secret_metadata(self, secret_path)

	Reads secret metadata (including versions) from the engine. It is only valid for KV version 2.

	:param secret_path: Path to read from
	:rtype: dict
	:return: secret metadata. This is a Dict containing metadata for the secret.

	See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.



	.. py:method:: get_secret_including_metadata(self, secret_path, secret_version = None)

	Reads secret including metadata. It is only valid for KV version 2.

	See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.

	:param secret_path: Path of the secret
	:param secret_version: Optional version of key to read - can only be used in case of version 2 of KV
	:rtype: dict
	:return: key info. This is a Dict with "data" mapping keeping secret
	and "metadata" mapping keeping metadata of the secret.



	.. py:method:: create_or_update_secret(self, secret_path, secret, method = None, cas = None)

	Creates or updates secret.

	:param secret_path: Path to read from
	:param secret: Secret to create or update for the path specified
	:param method: Optional parameter to explicitly request a POST (create) or PUT (update) request to
	the selected kv secret engine. If no argument is provided for this parameter, hvac attempts to
	intelligently determine which method is appropriate. Only valid for KV engine version 1
	:param cas: Set the "cas" value to use a Check-And-Set operation. If not set the write will be
	allowed. If set to 0 a write will only be allowed if the key doesn't exist.
	If the index is non-zero the write will only be allowed if the key's current version
	matches the version specified in the cas parameter. Only valid for KV engine version 2.
	:rtype: requests.Response
	:return: The response of the create_or_update_secret request.

	See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v1.html
	and https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.