docs-archive/apache-airflow-providers-hashicorp/3.0.0/_sources/_api/airflow/providers/hashicorp/secrets/vault/index.rst.txt - airflow-site - Git at Google

 :py:mod:`airflow.providers.hashicorp.secrets.vault`
 ===================================================

 .. py:module:: airflow.providers.hashicorp.secrets.vault

 .. autoapi-nested-parse::

    Objects relating to sourcing connections & variables from Hashicorp Vault


 Module Contents
 ---------------

 Classes
 ~~~~~~~

 .. autoapisummary::

    airflow.providers.hashicorp.secrets.vault.VaultBackend


 .. py:class:: VaultBackend(connections_path = 'connections', variables_path = 'variables', config_path = 'config', url = None, auth_type = 'token', auth_mount_point = None, mount_point = 'secret', kv_engine_version = 2, token = None, token_path = None, username = None, password = None, key_id = None, secret_id = None, role_id = None, kubernetes_role = None, kubernetes_jwt_path = '/var/run/secrets/kubernetes.io/serviceaccount/token', gcp_key_path = None, gcp_keyfile_dict = None, gcp_scopes = None, azure_tenant_id = None, azure_resource = None, radius_host = None, radius_secret = None, radius_port = None, **kwargs)

    Bases: :py:obj:`airflow.secrets.BaseSecretsBackend`, :py:obj:`airflow.utils.log.logging_mixin.LoggingMixin`

    Retrieves Connections and Variables from Hashicorp Vault.

    Configurable via ``airflow.cfg`` as follows:

    .. code-block:: ini

        [secrets]
        backend = airflow.providers.hashicorp.secrets.vault.VaultBackend
        backend_kwargs = {
            "connections_path": "connections",
            "url": "http://127.0.0.1:8200",
            "mount_point": "airflow"
            }

    For example, if your keys are under ``connections`` path in ``airflow`` mount_point, this
    would be accessible if you provide ``{"connections_path": "connections"}`` and request
    conn_id ``smtp_default``.

    :param connections_path: Specifies the path of the secret to read to get Connections.
        (default: 'connections'). If set to None (null), requests for connections will not be sent to Vault.
    :param variables_path: Specifies the path of the secret to read to get Variable.
        (default: 'variables'). If set to None (null), requests for variables will not be sent to Vault.
    :param config_path: Specifies the path of the secret to read Airflow Configurations
        (default: 'config'). If set to None (null), requests for configurations will not be sent to Vault.
    :param url: Base URL for the Vault instance being addressed.
    :param auth_type: Authentication Type for Vault. Default is ``token``. Available values are:
        ('approle', 'aws_iam', 'azure', 'github', 'gcp', 'kubernetes', 'ldap', 'radius', 'token', 'userpass')
    :param auth_mount_point: It can be used to define mount_point for authentication chosen
          Default depends on the authentication method used.
    :param mount_point: The "path" the secret engine was mounted on. Default is "secret". Note that
         this mount_point is not used for authentication if authentication is done via a
         different engine. For authentication mount_points see, auth_mount_point.
    :param kv_engine_version: Select the version of the engine to run (``1`` or ``2``, default: ``2``).
    :param token: Authentication token to include in requests sent to Vault.
        (for ``token`` and ``github`` auth_type)
    :param token_path: path to file containing authentication token to include in requests sent to Vault
        (for ``token`` and ``github`` auth_type).
    :param username: Username for Authentication (for ``ldap`` and ``userpass`` auth_type).
    :param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_type).
    :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type).
    :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types).
    :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types).
    :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type).
    :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default:
        ``/var/run/secrets/kubernetes.io/serviceaccount/token``).
    :param gcp_key_path: Path to Google Cloud Service Account key file (JSON) (for ``gcp`` auth_type).
           Mutually exclusive with gcp_keyfile_dict.
    :param gcp_keyfile_dict: Dictionary of keyfile parameters. (for ``gcp`` auth_type).
           Mutually exclusive with gcp_key_path.
    :param gcp_scopes: Comma-separated string containing OAuth2 scopes (for ``gcp`` auth_type).
    :param azure_tenant_id: The tenant id for the Azure Active Directory (for ``azure`` auth_type).
    :param azure_resource: The configured URL for the application registered in Azure Active Directory
           (for ``azure`` auth_type).
    :param radius_host: Host for radius (for ``radius`` auth_type).
    :param radius_secret: Secret for radius (for ``radius`` auth_type).
    :param radius_port: Port for radius (for ``radius`` auth_type).

    .. py:method:: get_response(self, conn_id)

       Get data from Vault

       :rtype: dict
       :return: The data from the Vault path if exists


    .. py:method:: get_conn_uri(self, conn_id)

       Get serialized representation of connection

       :param conn_id: The connection id
       :rtype: str
       :return: The connection uri retrieved from the secret


    .. py:method:: get_connection(self, conn_id)

       Get connection from Vault as secret. Prioritize conn_uri if exists,
       if not fall back to normal Connection creation.

       :rtype: Connection
       :return: A Connection object constructed from Vault data


    .. py:method:: get_variable(self, key)

       Get Airflow Variable

       :param key: Variable Key
       :rtype: str
       :return: Variable Value retrieved from the vault


    .. py:method:: get_config(self, key)

       Get Airflow Configuration

       :param key: Configuration Option Key
       :rtype: str
       :return: Configuration Option Value retrieved from the vault
	:py:mod:`airflow.providers.hashicorp.secrets.vault`
	===================================================

	.. py:module:: airflow.providers.hashicorp.secrets.vault

	.. autoapi-nested-parse::

	Objects relating to sourcing connections & variables from Hashicorp Vault



	Module Contents
	---------------

	Classes
	~~~~~~~

	.. autoapisummary::

	airflow.providers.hashicorp.secrets.vault.VaultBackend




	.. py:class:: VaultBackend(connections_path = 'connections', variables_path = 'variables', config_path = 'config', url = None, auth_type = 'token', auth_mount_point = None, mount_point = 'secret', kv_engine_version = 2, token = None, token_path = None, username = None, password = None, key_id = None, secret_id = None, role_id = None, kubernetes_role = None, kubernetes_jwt_path = '/var/run/secrets/kubernetes.io/serviceaccount/token', gcp_key_path = None, gcp_keyfile_dict = None, gcp_scopes = None, azure_tenant_id = None, azure_resource = None, radius_host = None, radius_secret = None, radius_port = None, **kwargs)

	Bases: :py:obj:`airflow.secrets.BaseSecretsBackend`, :py:obj:`airflow.utils.log.logging_mixin.LoggingMixin`

	Retrieves Connections and Variables from Hashicorp Vault.

	Configurable via ``airflow.cfg`` as follows:

	.. code-block:: ini

	[secrets]
	backend = airflow.providers.hashicorp.secrets.vault.VaultBackend
	backend_kwargs = {
	"connections_path": "connections",
	"url": "http://127.0.0.1:8200",
	"mount_point": "airflow"
	}

	For example, if your keys are under ``connections`` path in ``airflow`` mount_point, this
	would be accessible if you provide ``{"connections_path": "connections"}`` and request
	conn_id ``smtp_default``.

	:param connections_path: Specifies the path of the secret to read to get Connections.
	(default: 'connections'). If set to None (null), requests for connections will not be sent to Vault.
	:param variables_path: Specifies the path of the secret to read to get Variable.
	(default: 'variables'). If set to None (null), requests for variables will not be sent to Vault.
	:param config_path: Specifies the path of the secret to read Airflow Configurations
	(default: 'config'). If set to None (null), requests for configurations will not be sent to Vault.
	:param url: Base URL for the Vault instance being addressed.
	:param auth_type: Authentication Type for Vault. Default is ``token``. Available values are:
	('approle', 'aws_iam', 'azure', 'github', 'gcp', 'kubernetes', 'ldap', 'radius', 'token', 'userpass')
	:param auth_mount_point: It can be used to define mount_point for authentication chosen
	Default depends on the authentication method used.
	:param mount_point: The "path" the secret engine was mounted on. Default is "secret". Note that
	this mount_point is not used for authentication if authentication is done via a
	different engine. For authentication mount_points see, auth_mount_point.
	:param kv_engine_version: Select the version of the engine to run (``1`` or ``2``, default: ``2``).
	:param token: Authentication token to include in requests sent to Vault.
	(for ``token`` and ``github`` auth_type)
	:param token_path: path to file containing authentication token to include in requests sent to Vault
	(for ``token`` and ``github`` auth_type).
	:param username: Username for Authentication (for ``ldap`` and ``userpass`` auth_type).
	:param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_type).
	:param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type).
	:param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types).
	:param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types).
	:param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type).
	:param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default:
	``/var/run/secrets/kubernetes.io/serviceaccount/token``).
	:param gcp_key_path: Path to Google Cloud Service Account key file (JSON) (for ``gcp`` auth_type).
	Mutually exclusive with gcp_keyfile_dict.
	:param gcp_keyfile_dict: Dictionary of keyfile parameters. (for ``gcp`` auth_type).
	Mutually exclusive with gcp_key_path.
	:param gcp_scopes: Comma-separated string containing OAuth2 scopes (for ``gcp`` auth_type).
	:param azure_tenant_id: The tenant id for the Azure Active Directory (for ``azure`` auth_type).
	:param azure_resource: The configured URL for the application registered in Azure Active Directory
	(for ``azure`` auth_type).
	:param radius_host: Host for radius (for ``radius`` auth_type).
	:param radius_secret: Secret for radius (for ``radius`` auth_type).
	:param radius_port: Port for radius (for ``radius`` auth_type).

	.. py:method:: get_response(self, conn_id)

	Get data from Vault

	:rtype: dict
	:return: The data from the Vault path if exists


	.. py:method:: get_conn_uri(self, conn_id)

	Get serialized representation of connection

	:param conn_id: The connection id
	:rtype: str
	:return: The connection uri retrieved from the secret


	.. py:method:: get_connection(self, conn_id)

	Get connection from Vault as secret. Prioritize conn_uri if exists,
	if not fall back to normal Connection creation.

	:rtype: Connection
	:return: A Connection object constructed from Vault data


	.. py:method:: get_variable(self, key)

	Get Airflow Variable

	:param key: Variable Key
	:rtype: str
	:return: Variable Value retrieved from the vault


	.. py:method:: get_config(self, key)

	Get Airflow Configuration

	:param key: Configuration Option Key
	:rtype: str
	:return: Configuration Option Value retrieved from the vault