| :mod:`airflow.contrib.secrets.hashicorp_vault` |
| ============================================== |
| |
| .. py:module:: airflow.contrib.secrets.hashicorp_vault |
| |
| .. autoapi-nested-parse:: |
| |
| Objects relating to sourcing connections & variables from Hashicorp Vault |
| |
| |
| |
| Module Contents |
| --------------- |
| |
| .. py:class:: VaultBackend(connections_path='connections', variables_path='variables', config_path='config', url=None, auth_type='token', mount_point='secret', kv_engine_version=2, token=None, username=None, password=None, role_id=None, kubernetes_role=None, kubernetes_jwt_path='/var/run/secrets/kubernetes.io/serviceaccount/token', secret_id=None, gcp_key_path=None, gcp_scopes=None, **kwargs) |
| |
| Bases: :class:`airflow.secrets.BaseSecretsBackend`, :class:`airflow.utils.log.logging_mixin.LoggingMixin` |
| |
| Retrieves Connections and Variables from Hashicorp Vault |
| |
| Configurable via ``airflow.cfg`` as follows: |
| |
| .. code-block:: ini |
| |
| [secrets] |
| backend = airflow.contrib.secrets.hashicorp_vault.VaultBackend |
| backend_kwargs = { |
| "connections_path": "connections", |
| "url": "http://127.0.0.1:8200", |
| "mount_point": "airflow" |
| } |
| |
| For example, if your keys are under ``connections`` path in ``airflow`` mount_point, this |
| would be accessible if you provide ``{"connections_path": "connections"}`` and request |
| conn_id ``smtp_default``. |
| |
| :param connections_path: Specifies the path of the secret to read to get Connections. |
| (default: 'connections') |
| :type connections_path: str |
| :param variables_path: Specifies the path of the secret to read to get Variables. |
| (default: 'variables') |
| :type variables_path: str |
| :param config_path: Specifies the path of the secret to read Airflow Configurations |
| (default: 'config'). |
| :type config_path: str |
| :param url: Base URL for the Vault instance being addressed. |
| :type url: str |
| :param auth_type: Authentication Type for Vault (one of 'token', 'ldap', 'userpass', 'approle', |
| 'github', 'gcp', 'kubernetes'). Default is ``token``. |
| :type auth_type: str |
| :param mount_point: The "path" the secret engine was mounted on. (Default: ``secret``) |
| :type mount_point: str |
| :param token: Authentication token to include in requests sent to Vault. |
| (for ``token`` and ``github`` auth_type) |
| :type token: str |
| :param kv_engine_version: Select the version of the engine to run (``1`` or ``2``, default: ``2``) |
| :type kv_engine_version: int |
| :param username: Username for Authentication (for ``ldap`` and ``userpass`` auth_type) |
| :type username: str |
| :param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_type) |
| :type password: str |
| :param role_id: Role ID for Authentication (for ``approle`` auth_type) |
| :type role_id: str |
| :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type) |
| :type kubernetes_role: str |
| :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, deafult: |
| ``/var/run/secrets/kubernetes.io/serviceaccount/token``) |
| :type kubernetes_jwt_path: str |
| :param secret_id: Secret ID for Authentication (for ``approle`` auth_type) |
| :type secret_id: str |
| :param gcp_key_path: Path to GCP Credential JSON file (for ``gcp`` auth_type) |
| :type gcp_key_path: str |
| :param gcp_scopes: Comma-separated string containing GCP scopes (for ``gcp`` auth_type) |
| :type gcp_scopes: str |
| |
| |
| .. method:: client(self) |
| |
| Return an authenticated Hashicorp Vault client |
| |
| |
| |
| |
| .. method:: get_conn_uri(self, conn_id) |
| |
| Get secret value from Vault. Store the secret in the form of URI |
| |
| :param conn_id: connection id |
| :type conn_id: str |
| |
| |
| |
| |
| .. method:: get_variable(self, key) |
| |
| Get Airflow Variable |
| |
| :param key: Variable Key |
| :return: Variable Value |
| |
| |
| |
| |
| .. method:: _get_secret(self, path_prefix, secret_id) |
| |
| Get secret value from Vault. |
| |
| :param path_prefix: Prefix for the Path to get Secret |
| :type path_prefix: str |
| :param secret_id: Secret Key |
| :type secret_id: str |
| |
| |
| |
| |
| .. method:: get_config(self, key) |
| |
| Get Airflow Configuration |
| |
| :param key: Configuration Option Key |
| :type key: str |
| :rtype: str |
| :return: Configuration Option Value retrieved from the vault |
| |
| |
| |
| |