| :py:mod:`airflow.providers.hashicorp.secrets.vault` |
| =================================================== |
| |
| .. py:module:: airflow.providers.hashicorp.secrets.vault |
| |
| .. autoapi-nested-parse:: |
| |
| Objects relating to sourcing connections & variables from Hashicorp Vault |
| |
| |
| |
| Module Contents |
| --------------- |
| |
| Classes |
| ~~~~~~~ |
| |
| .. autoapisummary:: |
| |
| airflow.providers.hashicorp.secrets.vault.VaultBackend |
| |
| |
| |
| |
| .. py:class:: VaultBackend(connections_path = 'connections', variables_path = 'variables', config_path = 'config', url = None, auth_type = 'token', auth_mount_point = None, mount_point = 'secret', kv_engine_version = 2, token = None, token_path = None, username = None, password = None, key_id = None, secret_id = None, role_id = None, kubernetes_role = None, kubernetes_jwt_path = '/var/run/secrets/kubernetes.io/serviceaccount/token', gcp_key_path = None, gcp_keyfile_dict = None, gcp_scopes = None, azure_tenant_id = None, azure_resource = None, radius_host = None, radius_secret = None, radius_port = None, **kwargs) |
| |
| Bases: :py:obj:`airflow.secrets.BaseSecretsBackend`, :py:obj:`airflow.utils.log.logging_mixin.LoggingMixin` |
| |
| Retrieves Connections and Variables from Hashicorp Vault. |
| |
| Configurable via ``airflow.cfg`` as follows: |
| |
| .. code-block:: ini |
| |
| [secrets] |
| backend = airflow.providers.hashicorp.secrets.vault.VaultBackend |
| backend_kwargs = { |
| "connections_path": "connections", |
| "url": "http://127.0.0.1:8200", |
| "mount_point": "airflow" |
| } |
| |
| For example, if your keys are under ``connections`` path in ``airflow`` mount_point, this |
| would be accessible if you provide ``{"connections_path": "connections"}`` and request |
| conn_id ``smtp_default``. |
| |
| :param connections_path: Specifies the path of the secret to read to get Connections. |
| (default: 'connections'). If set to None (null), requests for connections will not be sent to Vault. |
| :param variables_path: Specifies the path of the secret to read to get Variable. |
| (default: 'variables'). If set to None (null), requests for variables will not be sent to Vault. |
| :param config_path: Specifies the path of the secret to read Airflow Configurations |
| (default: 'config'). If set to None (null), requests for configurations will not be sent to Vault. |
| :param url: Base URL for the Vault instance being addressed. |
| :param auth_type: Authentication Type for Vault. Default is ``token``. Available values are: |
| ('approle', 'aws_iam', 'azure', 'github', 'gcp', 'kubernetes', 'ldap', 'radius', 'token', 'userpass') |
| :param auth_mount_point: It can be used to define mount_point for authentication chosen |
| Default depends on the authentication method used. |
| :param mount_point: The "path" the secret engine was mounted on. Default is "secret". Note that |
| this mount_point is not used for authentication if authentication is done via a |
| different engine. For authentication mount_points see, auth_mount_point. |
| :param kv_engine_version: Select the version of the engine to run (``1`` or ``2``, default: ``2``). |
| :param token: Authentication token to include in requests sent to Vault. |
| (for ``token`` and ``github`` auth_type) |
| :param token_path: path to file containing authentication token to include in requests sent to Vault |
| (for ``token`` and ``github`` auth_type). |
| :param username: Username for Authentication (for ``ldap`` and ``userpass`` auth_type). |
| :param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_type). |
| :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type). |
| :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types). |
| :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types). |
| :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type). |
| :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default: |
| ``/var/run/secrets/kubernetes.io/serviceaccount/token``). |
| :param gcp_key_path: Path to Google Cloud Service Account key file (JSON) (for ``gcp`` auth_type). |
| Mutually exclusive with gcp_keyfile_dict. |
| :param gcp_keyfile_dict: Dictionary of keyfile parameters. (for ``gcp`` auth_type). |
| Mutually exclusive with gcp_key_path. |
| :param gcp_scopes: Comma-separated string containing OAuth2 scopes (for ``gcp`` auth_type). |
| :param azure_tenant_id: The tenant id for the Azure Active Directory (for ``azure`` auth_type). |
| :param azure_resource: The configured URL for the application registered in Azure Active Directory |
| (for ``azure`` auth_type). |
| :param radius_host: Host for radius (for ``radius`` auth_type). |
| :param radius_secret: Secret for radius (for ``radius`` auth_type). |
| :param radius_port: Port for radius (for ``radius`` auth_type). |
| |
| .. py:method:: get_response(self, conn_id) |
| |
| Get data from Vault |
| |
| :rtype: dict |
| :return: The data from the Vault path if exists |
| |
| |
| .. py:method:: get_conn_uri(self, conn_id) |
| |
| Get serialized representation of connection |
| |
| :param conn_id: The connection id |
| :rtype: str |
| :return: The connection uri retrieved from the secret |
| |
| |
| .. py:method:: get_connection(self, conn_id) |
| |
| Get connection from Vault as secret. Prioritize conn_uri if exists, |
| if not fall back to normal Connection creation. |
| |
| :rtype: Connection |
| :return: A Connection object constructed from Vault data |
| |
| |
| .. py:method:: get_variable(self, key) |
| |
| Get Airflow Variable |
| |
| :param key: Variable Key |
| :rtype: str |
| :return: Variable Value retrieved from the vault |
| |
| |
| .. py:method:: get_config(self, key) |
| |
| Get Airflow Configuration |
| |
| :param key: Configuration Option Key |
| :rtype: str |
| :return: Configuration Option Value retrieved from the vault |
| |
| |
| |