docs-archive/apache-airflow-providers-hashicorp/1.0.0/_sources/_api/airflow/providers/hashicorp/secrets/vault/index.rst.txt - airflow-site - Git at Google

 :mod:`airflow.providers.hashicorp.secrets.vault`
 ================================================

 .. py:module:: airflow.providers.hashicorp.secrets.vault

 .. autoapi-nested-parse::

    Objects relating to sourcing connections & variables from Hashicorp Vault


 Module Contents
 ---------------

 .. py:class:: VaultBackend(connections_path: str = 'connections', variables_path: str = 'variables', config_path: str = 'config', url: Optional[str] = None, auth_type: str = 'token', auth_mount_point: Optional[str] = None, mount_point: str = 'secret', kv_engine_version: int = 2, token: Optional[str] = None, token_path: Optional[str] = None, username: Optional[str] = None, password: Optional[str] = None, key_id: Optional[str] = None, secret_id: Optional[str] = None, role_id: Optional[str] = None, kubernetes_role: Optional[str] = None, kubernetes_jwt_path: str = '/var/run/secrets/kubernetes.io/serviceaccount/token', gcp_key_path: Optional[str] = None, gcp_keyfile_dict: Optional[dict] = None, gcp_scopes: Optional[str] = None, azure_tenant_id: Optional[str] = None, azure_resource: Optional[str] = None, radius_host: Optional[str] = None, radius_secret: Optional[str] = None, radius_port: Optional[int] = None, **kwargs)

    Bases: :class:`airflow.secrets.BaseSecretsBackend`, :class:`airflow.utils.log.logging_mixin.LoggingMixin`

    Retrieves Connections and Variables from Hashicorp Vault.

    Configurable via ``airflow.cfg`` as follows:

    .. code-block:: ini

        [secrets]
        backend = airflow.providers.hashicorp.secrets.vault.VaultBackend
        backend_kwargs = {
            "connections_path": "connections",
            "url": "http://127.0.0.1:8200",
            "mount_point": "airflow"
            }

    For example, if your keys are under ``connections`` path in ``airflow`` mount_point, this
    would be accessible if you provide ``{"connections_path": "connections"}`` and request
    conn_id ``smtp_default``.

    :param connections_path: Specifies the path of the secret to read to get Connections.
        (default: 'connections'). If set to None (null), requests for connections will not be sent to Vault.
    :type connections_path: str
    :param variables_path: Specifies the path of the secret to read to get Variable.
        (default: 'variables'). If set to None (null), requests for variables will not be sent to Vault.
    :type variables_path: str
    :param config_path: Specifies the path of the secret to read Airflow Configurations
        (default: 'config'). If set to None (null), requests for configurations will not be sent to Vault.
    :type config_path: str
    :param url: Base URL for the Vault instance being addressed.
    :type url: str
    :param auth_type: Authentication Type for Vault. Default is ``token``. Available values are:
        ('approle', 'aws_iam', 'azure', 'github', 'gcp', 'kubernetes', 'ldap', 'radius', 'token', 'userpass')
    :type auth_type: str
    :param auth_mount_point: It can be used to define mount_point for authentication chosen
          Default depends on the authentication method used.
    :type auth_mount_point: str
    :param mount_point: The "path" the secret engine was mounted on. Default is "secret". Note that
         this mount_point is not used for authentication if authentication is done via a
         different engine. For authentication mount_points see, auth_mount_point.
    :type mount_point: str
    :param kv_engine_version: Select the version of the engine to run (``1`` or ``2``, default: ``2``).
    :type kv_engine_version: int
    :param token: Authentication token to include in requests sent to Vault.
        (for ``token`` and ``github`` auth_type)
    :type token: str
    :param token_path: path to file containing authentication token to include in requests sent to Vault
        (for ``token`` and ``github`` auth_type).
    :type token_path: str
    :param username: Username for Authentication (for ``ldap`` and ``userpass`` auth_type).
    :type username: str
    :param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_type).
    :type password: str
    :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type).
    :type key_id: str
    :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types).
    :type secret_id: str
    :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types).
    :type role_id: str
    :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type).
    :type kubernetes_role: str
    :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default:
        ``/var/run/secrets/kubernetes.io/serviceaccount/token``).
    :type kubernetes_jwt_path: str
    :param gcp_key_path: Path to Google Cloud Service Account key file (JSON) (for ``gcp`` auth_type).
           Mutually exclusive with gcp_keyfile_dict.
    :type gcp_key_path: str
    :param gcp_keyfile_dict: Dictionary of keyfile parameters. (for ``gcp`` auth_type).
           Mutually exclusive with gcp_key_path.
    :type gcp_keyfile_dict: dict
    :param gcp_scopes: Comma-separated string containing OAuth2 scopes (for ``gcp`` auth_type).
    :type gcp_scopes: str
    :param azure_tenant_id: The tenant id for the Azure Active Directory (for ``azure`` auth_type).
    :type azure_tenant_id: str
    :param azure_resource: The configured URL for the application registered in Azure Active Directory
           (for ``azure`` auth_type).
    :type azure_resource: str
    :param radius_host: Host for radius (for ``radius`` auth_type).
    :type radius_host: str
    :param radius_secret: Secret for radius (for ``radius`` auth_type).
    :type radius_secret: str
    :param radius_port: Port for radius (for ``radius`` auth_type).
    :type radius_port: str


    .. method:: get_conn_uri(self, conn_id: str)

       Get secret value from Vault. Store the secret in the form of URI

       :param conn_id: The connection id
       :type conn_id: str
       :rtype: str
       :return: The connection uri retrieved from the secret


    .. method:: get_variable(self, key: str)

       Get Airflow Variable

       :param key: Variable Key
       :type key: str
       :rtype: str
       :return: Variable Value retrieved from the vault


    .. method:: get_config(self, key: str)

       Get Airflow Configuration

       :param key: Configuration Option Key
       :type key: str
       :rtype: str
       :return: Configuration Option Value retrieved from the vault
	:mod:`airflow.providers.hashicorp.secrets.vault`
	================================================

	.. py:module:: airflow.providers.hashicorp.secrets.vault

	.. autoapi-nested-parse::

	Objects relating to sourcing connections & variables from Hashicorp Vault



	Module Contents
	---------------

	.. py:class:: VaultBackend(connections_path: str = 'connections', variables_path: str = 'variables', config_path: str = 'config', url: Optional[str] = None, auth_type: str = 'token', auth_mount_point: Optional[str] = None, mount_point: str = 'secret', kv_engine_version: int = 2, token: Optional[str] = None, token_path: Optional[str] = None, username: Optional[str] = None, password: Optional[str] = None, key_id: Optional[str] = None, secret_id: Optional[str] = None, role_id: Optional[str] = None, kubernetes_role: Optional[str] = None, kubernetes_jwt_path: str = '/var/run/secrets/kubernetes.io/serviceaccount/token', gcp_key_path: Optional[str] = None, gcp_keyfile_dict: Optional[dict] = None, gcp_scopes: Optional[str] = None, azure_tenant_id: Optional[str] = None, azure_resource: Optional[str] = None, radius_host: Optional[str] = None, radius_secret: Optional[str] = None, radius_port: Optional[int] = None, **kwargs)

	Bases: :class:`airflow.secrets.BaseSecretsBackend`, :class:`airflow.utils.log.logging_mixin.LoggingMixin`

	Retrieves Connections and Variables from Hashicorp Vault.

	Configurable via ``airflow.cfg`` as follows:

	.. code-block:: ini

	[secrets]
	backend = airflow.providers.hashicorp.secrets.vault.VaultBackend
	backend_kwargs = {
	"connections_path": "connections",
	"url": "http://127.0.0.1:8200",
	"mount_point": "airflow"
	}

	For example, if your keys are under ``connections`` path in ``airflow`` mount_point, this
	would be accessible if you provide ``{"connections_path": "connections"}`` and request
	conn_id ``smtp_default``.

	:param connections_path: Specifies the path of the secret to read to get Connections.
	(default: 'connections'). If set to None (null), requests for connections will not be sent to Vault.
	:type connections_path: str
	:param variables_path: Specifies the path of the secret to read to get Variable.
	(default: 'variables'). If set to None (null), requests for variables will not be sent to Vault.
	:type variables_path: str
	:param config_path: Specifies the path of the secret to read Airflow Configurations
	(default: 'config'). If set to None (null), requests for configurations will not be sent to Vault.
	:type config_path: str
	:param url: Base URL for the Vault instance being addressed.
	:type url: str
	:param auth_type: Authentication Type for Vault. Default is ``token``. Available values are:
	('approle', 'aws_iam', 'azure', 'github', 'gcp', 'kubernetes', 'ldap', 'radius', 'token', 'userpass')
	:type auth_type: str
	:param auth_mount_point: It can be used to define mount_point for authentication chosen
	Default depends on the authentication method used.
	:type auth_mount_point: str
	:param mount_point: The "path" the secret engine was mounted on. Default is "secret". Note that
	this mount_point is not used for authentication if authentication is done via a
	different engine. For authentication mount_points see, auth_mount_point.
	:type mount_point: str
	:param kv_engine_version: Select the version of the engine to run (``1`` or ``2``, default: ``2``).
	:type kv_engine_version: int
	:param token: Authentication token to include in requests sent to Vault.
	(for ``token`` and ``github`` auth_type)
	:type token: str
	:param token_path: path to file containing authentication token to include in requests sent to Vault
	(for ``token`` and ``github`` auth_type).
	:type token_path: str
	:param username: Username for Authentication (for ``ldap`` and ``userpass`` auth_type).
	:type username: str
	:param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_type).
	:type password: str
	:param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type).
	:type key_id: str
	:param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types).
	:type secret_id: str
	:param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types).
	:type role_id: str
	:param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type).
	:type kubernetes_role: str
	:param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default:
	``/var/run/secrets/kubernetes.io/serviceaccount/token``).
	:type kubernetes_jwt_path: str
	:param gcp_key_path: Path to Google Cloud Service Account key file (JSON) (for ``gcp`` auth_type).
	Mutually exclusive with gcp_keyfile_dict.
	:type gcp_key_path: str
	:param gcp_keyfile_dict: Dictionary of keyfile parameters. (for ``gcp`` auth_type).
	Mutually exclusive with gcp_key_path.
	:type gcp_keyfile_dict: dict
	:param gcp_scopes: Comma-separated string containing OAuth2 scopes (for ``gcp`` auth_type).
	:type gcp_scopes: str
	:param azure_tenant_id: The tenant id for the Azure Active Directory (for ``azure`` auth_type).
	:type azure_tenant_id: str
	:param azure_resource: The configured URL for the application registered in Azure Active Directory
	(for ``azure`` auth_type).
	:type azure_resource: str
	:param radius_host: Host for radius (for ``radius`` auth_type).
	:type radius_host: str
	:param radius_secret: Secret for radius (for ``radius`` auth_type).
	:type radius_secret: str
	:param radius_port: Port for radius (for ``radius`` auth_type).
	:type radius_port: str


	.. method:: get_conn_uri(self, conn_id: str)

	Get secret value from Vault. Store the secret in the form of URI

	:param conn_id: The connection id
	:type conn_id: str
	:rtype: str
	:return: The connection uri retrieved from the secret




	.. method:: get_variable(self, key: str)

	Get Airflow Variable

	:param key: Variable Key
	:type key: str
	:rtype: str
	:return: Variable Value retrieved from the vault




	.. method:: get_config(self, key: str)

	Get Airflow Configuration

	:param key: Configuration Option Key
	:type key: str
	:rtype: str
	:return: Configuration Option Value retrieved from the vault