| :py:mod:`airflow.providers.microsoft.azure.secrets.key_vault` |
| ============================================================= |
| |
| .. py:module:: airflow.providers.microsoft.azure.secrets.key_vault |
| |
| |
| Module Contents |
| --------------- |
| |
| Classes |
| ~~~~~~~ |
| |
| .. autoapisummary:: |
| |
| airflow.providers.microsoft.azure.secrets.key_vault.AzureKeyVaultBackend |
| |
| |
| |
| |
| .. py:class:: AzureKeyVaultBackend(connections_prefix = 'airflow-connections', variables_prefix = 'airflow-variables', config_prefix = 'airflow-config', vault_url = '', sep = '-', **kwargs) |
| |
| Bases: :py:obj:`airflow.secrets.BaseSecretsBackend`, :py:obj:`airflow.utils.log.logging_mixin.LoggingMixin` |
| |
| Retrieves Airflow Connections or Variables from Azure Key Vault secrets. |
| |
| The Azure Key Vault can be configured as a secrets backend in the ``airflow.cfg``: |
| |
| .. code-block:: ini |
| |
| [secrets] |
| backend = airflow.providers.microsoft.azure.secrets.key_vault.AzureKeyVaultBackend |
| backend_kwargs = {"connections_prefix": "airflow-connections", "vault_url": "<azure_key_vault_uri>"} |
| |
| For example, if the secrets prefix is ``airflow-connections-smtp-default``, this would be accessible |
| if you provide ``{"connections_prefix": "airflow-connections"}`` and request conn_id ``smtp-default``. |
| And if variables prefix is ``airflow-variables-hello``, this would be accessible |
| if you provide ``{"variables_prefix": "airflow-variables"}`` and request variable key ``hello``. |
| |
| For client authentication, the ``DefaultAzureCredential`` from the Azure Python SDK is used as |
| credential provider, which supports service principal, managed identity and user credentials |
| |
| For example, to specify a service principal with secret you can set the environment variables |
| ``AZURE_TENANT_ID``, ``AZURE_CLIENT_ID`` and ``AZURE_CLIENT_SECRET``. |
| |
| .. seealso:: |
| For more details on client authentication refer to the ``DefaultAzureCredential`` Class reference: |
| https://docs.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python |
| |
| :param connections_prefix: Specifies the prefix of the secret to read to get Connections |
| If set to None (null), requests for connections will not be sent to Azure Key Vault |
| :param variables_prefix: Specifies the prefix of the secret to read to get Variables |
| If set to None (null), requests for variables will not be sent to Azure Key Vault |
| :param config_prefix: Specifies the prefix of the secret to read to get Variables. |
| If set to None (null), requests for configurations will not be sent to Azure Key Vault |
| :param vault_url: The URL of an Azure Key Vault to use |
| :param sep: separator used to concatenate secret_prefix and secret_id. Default: "-" |
| |
| .. py:method:: client(self) |
| |
| Create a Azure Key Vault client. |
| |
| |
| .. py:method:: get_conn_value(self, conn_id) |
| |
| Get a serialized representation of Airflow Connection from an Azure Key Vault secret |
| |
| :param conn_id: The Airflow connection id to retrieve |
| |
| |
| .. py:method:: get_conn_uri(self, conn_id) |
| |
| Return URI representation of Connection conn_id. |
| |
| As of Airflow version 2.3.0 this method is deprecated. |
| |
| :param conn_id: the connection id |
| :return: deserialized Connection |
| |
| |
| .. py:method:: get_variable(self, key) |
| |
| Get an Airflow Variable from an Azure Key Vault secret. |
| |
| :param key: Variable Key |
| :return: Variable Value |
| |
| |
| .. py:method:: get_config(self, key) |
| |
| Get Airflow Configuration |
| |
| :param key: Configuration Option Key |
| :return: Configuration Option Value |
| |
| |
| .. py:method:: build_path(path_prefix, secret_id, sep = '-') |
| :staticmethod: |
| |
| Given a path_prefix and secret_id, build a valid secret name for the Azure Key Vault Backend. |
| Also replaces underscore in the path with dashes to support easy switching between |
| environment variables, so ``connection_default`` becomes ``connection-default``. |
| |
| :param path_prefix: The path prefix of the secret to retrieve |
| :param secret_id: Name of the secret |
| :param sep: Separator used to concatenate path_prefix and secret_id |
| |
| |
| |