Hook to Interact with HashiCorp Vault KeyValue Secret engine.

View Source

Last Updated: Dec. 8, 2020

Access Instructions

Install the Hashicorp provider package into your Airflow environment.

Import the module into your DAG file and instantiate it with your desired params.


Hook to Interact with HashiCorp Vault KeyValue Secret engine.

HashiCorp hvac documentation:

You connect to the host specified as host in the connection. The login/password from the connection are used as credentials usually and you can specify different authentication parameters via init params or via corresponding extras in the connection.

The mount point should be placed as a path in the URL - similarly to Vault’s URL schema: This indicates the “path” the secret engine is mounted on. Default id not specified is “secret”. Note that this mount_point is not used for authentication if authentication is done via a different engines. Each engine uses it’s own engine-specific authentication mount_point.

The extras in the connection are named the same as the parameters (‘kv_engine_version’, ‘auth_type’, …).

You can also use gcp_keyfile_dict extra to pass json-formatted dict in case of ‘gcp’ authentication.

The URL schemas supported are “vault”, “http” (using http to connect to the vault) or “vaults” and “https” (using https to connect to the vault).

Example URL:


Login/Password are used as credentials:

  • approle: password -> secret_id

  • github: password -> token

  • token: password -> token

  • aws_iam: login -> key_id, password -> secret_id

  • azure: login -> client_id, password -> client_secret

  • ldap: login -> username, password -> password

  • userpass: login -> username, password -> password

  • radius: password -> radius_secret

Example DAGs

Improve this module by creating an example DAG.

View Source
  1. Add an `example_dags` directory to the top-level source of the provider package with an empty `` file.
  2. Add your DAG to this directory. Be sure to include a well-written and descriptive docstring
  3. Create a pull request against the source code. Once the package gets released, your DAG will show up on the Registry.

Was this page helpful?