VaultBackend

Hashicorp

Retrieves Connections and Variables from Hashicorp Vault.

View on GitHub

Last Updated: Jun. 7, 2022

Access Instructions

Install the Hashicorp provider package into your Airflow environment.

Update your environment config per the instructions in the docs below.

Parameters

connections_pathSpecifies the path of the secret to read to get Connections. (default: ‘connections’). If set to None (null), requests for connections will not be sent to Vault.
variables_pathSpecifies the path of the secret to read to get Variable. (default: ‘variables’). If set to None (null), requests for variables will not be sent to Vault.
config_pathSpecifies the path of the secret to read Airflow Configurations (default: ‘config’). If set to None (null), requests for configurations will not be sent to Vault.
urlBase URL for the Vault instance being addressed.
auth_typeAuthentication Type for Vault. Default is token. Available values are: (‘approle’, ‘aws_iam’, ‘azure’, ‘github’, ‘gcp’, ‘kubernetes’, ‘ldap’, ‘radius’, ‘token’, ‘userpass’)
auth_mount_pointIt can be used to define mount_point for authentication chosen Default depends on the authentication method used.
mount_pointThe “path” the secret engine was mounted on. Default is “secret”. Note that this mount_point is not used for authentication if authentication is done via a different engine. For authentication mount_points see, auth_mount_point.
kv_engine_versionSelect the version of the engine to run (1 or 2, default: 2).
tokenAuthentication token to include in requests sent to Vault. (for token and github auth_type)
token_pathpath to file containing authentication token to include in requests sent to Vault (for token and github auth_type).
usernameUsername for Authentication (for ldap and userpass auth_type).
passwordPassword for Authentication (for ldap and userpass auth_type).
key_idKey ID for Authentication (for aws_iam and ‘’azure`` auth_type).
secret_idSecret ID for Authentication (for approle, aws_iam and azure auth_types).
role_idRole ID for Authentication (for approle, aws_iam auth_types).
kubernetes_roleRole for Authentication (for kubernetes auth_type).
kubernetes_jwt_pathPath for kubernetes jwt token (for kubernetes auth_type, default: /var/run/secrets/kubernetes.io/serviceaccount/token).
gcp_key_pathPath to Google Cloud Service Account key file (JSON) (for gcp auth_type). Mutually exclusive with gcp_keyfile_dict.
gcp_keyfile_dictDictionary of keyfile parameters. (for gcp auth_type). Mutually exclusive with gcp_key_path.
gcp_scopesComma-separated string containing OAuth2 scopes (for gcp auth_type).
azure_tenullt_idThe tenullt id for the Azure Active Directory (for azure auth_type).
azure_resourceThe configured URL for the application registered in Azure Active Directory (for azure auth_type).
radius_hostHost for radius (for radius auth_type).
radius_secretSecret for radius (for radius auth_type).
radius_portPort for radius (for radius auth_type).

Documentation

Retrieves Connections and Variables from Hashicorp Vault.

Configurable via airflow.cfg as follows:

[secrets]
backend = airflow.providers.hashicorp.secrets.vault.VaultBackend
backend_kwargs = {
"connections_path": "connections",
"url": "http://127.0.0.1:8200",
"mount_point": "airflow"
}

For example, if your keys are under connections path in airflow mount_point, this would be accessible if you provide {"connections_path": "connections"} and request conn_id smtp_default.

Was this page helpful?