docs/apache-airflow-providers/core-extensions/secrets-backends.rst - airflow - Git at Google

  .. Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
     regarding copyright ownership.  The ASF licenses this file
     to you under the Apache License, Version 2.0 (the
     "License"); you may not use this file except in compliance
     with the License.  You may obtain a copy of the License at

  ..   http://www.apache.org/licenses/LICENSE-2.0

  .. Unless required by applicable law or agreed to in writing,
     software distributed under the License is distributed on an
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
     under the License.

 Secret backends
 ---------------

 This is a summary of all Apache Airflow Community provided implementations of secret backends
 exposed via community-managed providers.

 Airflow has the capability of reading connections, variables and configuration from Secret Backends rather
 than from its own Database. While storing such information in Airflow's database is possible, many of the
 enterprise customers already have some secret managers storing secrets, and Airflow can tap into those
 via providers that implement secrets backends for services Airflow integrates with.

 .. note::

   Secret Backend integration do not allow writes to the secret backend.
   This is a design choice as normally secret stores require elevated permissions to write as it is a protected resource.
   That means ``Variable.set(...)`` will write to the Airflow metastore even if you use secret backend.
   If you need to update a value of a secret stored in the secret backend you must do it explicitly. That can be done
   by using operator that writes to the secret backend of your choice.

 .. warning::

   If you have key ``foo`` in secret backend and you will do ``Variable.set(key='foo',...)`` it will create
   Airflow Variable with key ``foo`` in the Airflow metastore. It means you will have 2 secrets with key ``foo``.
   While this is possible, Airflow detects that this situation is likely wrong and output to the task log a warning that
   explains while the write request is honored it will be ignored with the next read. The reason for this is when
   executing ``Variable.get('foo')``, it will read the value from the secret backend. The value stored in Airflow
   metastore will be ignored due to priority given to the secret backend.


 You can also take a
 look at Secret backends available in the core Airflow in
 :doc:`apache-airflow:security/secrets/secrets-backend/index` and here you can see the ones
 provided by the community-managed providers:

 .. airflow-secrets-backends::
    :tags: None
    :header-separator: "
	.. Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	.. http://www.apache.org/licenses/LICENSE-2.0

	.. Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.

	Secret backends
	---------------

	This is a summary of all Apache Airflow Community provided implementations of secret backends
	exposed via community-managed providers.

	Airflow has the capability of reading connections, variables and configuration from Secret Backends rather
	than from its own Database. While storing such information in Airflow's database is possible, many of the
	enterprise customers already have some secret managers storing secrets, and Airflow can tap into those
	via providers that implement secrets backends for services Airflow integrates with.

	.. note::

	Secret Backend integration do not allow writes to the secret backend.
	This is a design choice as normally secret stores require elevated permissions to write as it is a protected resource.
	That means ``Variable.set(...)`` will write to the Airflow metastore even if you use secret backend.
	If you need to update a value of a secret stored in the secret backend you must do it explicitly. That can be done
	by using operator that writes to the secret backend of your choice.

	.. warning::

	If you have key ``foo`` in secret backend and you will do ``Variable.set(key='foo',...)`` it will create
	Airflow Variable with key ``foo`` in the Airflow metastore. It means you will have 2 secrets with key ``foo``.
	While this is possible, Airflow detects that this situation is likely wrong and output to the task log a warning that
	explains while the write request is honored it will be ignored with the next read. The reason for this is when
	executing ``Variable.get('foo')``, it will read the value from the secret backend. The value stored in Airflow
	metastore will be ignored due to priority given to the secret backend.


	You can also take a
	look at Secret backends available in the core Airflow in
	:doc:`apache-airflow:security/secrets/secrets-backend/index` and here you can see the ones
	provided by the community-managed providers:

	.. airflow-secrets-backends::
	:tags: None
	:header-separator: "