Azure Key Vault Backend

To enable the Azure Key Vault as secrets backend, specify AzureKeyVaultBackend as the backend in [secrets] section of airflow.cfg.

Here is a sample configuration:

backend =
backend_kwargs = {"connections_prefix": "airflow-connections", "variables_prefix": "airflow-variables", "vault_url": ""}

For client authentication, the DefaultAzureCredential from the Azure Python SDK is used as credential provider, which supports service principal, managed identity and user credentials.

Optional lookup

Optionally connections, variables, or config may be looked up exclusive of each other or in any combination. This will prevent requests being sent to Azure Key Vault for the excluded type.

If you want to look up some and not others in Azure Key Vault you may do so by setting the relevant *_prefix parameter of the ones to be excluded as null.

For example, if you want to set parameter connections_prefix to "airflow-connections" and not look up variables, your configuration file should look like this:

backend =
backend_kwargs = {"connections_prefix": "airflow-connections", "variables_prefix": null, "vault_url": ""}

Storing and Retrieving Connections

If you have set connections_prefix as airflow-connections, then for a connection id of smtp_default, you would want to store your connection at airflow-connections-smtp-default.

The value of the secret must be the connection URI representation of the connection object.

Storing and Retrieving Variables

If you have set variables_prefix as airflow-variables, then for an Variable key of hello, you would want to store your Variable at airflow-variables-hello.

Was this entry helpful?