airflow.providers.hashicorp.hooks.vault¶
Hook for HashiCorp Vault.
Classes¶
Hook to Interact with HashiCorp Vault KeyValue Secret engine. |
Module Contents¶
- class airflow.providers.hashicorp.hooks.vault.VaultHook(vault_conn_id=default_conn_name, auth_type=None, auth_mount_point=None, kv_engine_version=None, role_id=None, region=None, kubernetes_role=None, kubernetes_jwt_path=None, token_path=None, gcp_key_path=None, gcp_scopes=None, azure_tenant_id=None, azure_resource=None, radius_host=None, radius_port=None, **kwargs)[source]¶
Bases:
airflow.hooks.base.BaseHookHook to Interact with HashiCorp Vault KeyValue Secret engine.
- HashiCorp hvac documentation:
You connect to the host specified as host in the connection. The login/password from the connection are used as credentials usually and you can specify different authentication parameters via init params or via corresponding extras in the connection.
The mount point should be placed as a path in the URL - similarly to Vault’s URL schema: This indicates the “path” the secret engine is mounted on. Default id not specified is “secret”. Note that this
mount_pointis not used for authentication if authentication is done via a different engines. Each engine uses its own engine-specific authentication mount_point.The extras in the connection are named the same as the parameters (‘kv_engine_version’, ‘auth_type’, …).
You can also use gcp_keyfile_dict extra to pass json-formatted dict in case of ‘gcp’ authentication.
The URL schemas supported are “vault”, “http” (using http to connect to the vault) or “vaults” and “https” (using https to connect to the vault).
Example URL:
vault://user:password@host:port/mount_point?kv_engine_version=1&auth_type=github
Login/Password are used as credentials:
approle: login -> connection.login
github: password -> token
token: password -> token
aws_iam: login -> key_id, password -> secret_id
azure: login -> client_id, password -> client_secret
ldap: login -> username, password -> password
userpass: login -> username, password -> password
radius: password -> radius_secret
- Parameters:
vault_conn_id (str) – The id of the connection to use
auth_type (str | None) – Authentication Type for the Vault. Default is
token. Available values are: (‘approle’, ‘github’, ‘gcp’, ‘kubernetes’, ‘ldap’, ‘token’, ‘userpass’)auth_mount_point (str | None) – It can be used to define mount_point for authentication chosen Default depends on the authentication method used.
kv_engine_version (int | None) – Select the version of the engine to run (
1or2). Defaults to version defined in connection or2if not defined in connection.role_id (str | None) – Role ID for
aws_iamAuthentication.region (str | None) – AWS region for STS API calls (for
aws_iamauth_type).kubernetes_role (str | None) – Role for Authentication (for
kubernetesauth_type)kubernetes_jwt_path (str | None) – Path for kubernetes jwt token (for
kubernetesauth_type, default:/var/run/secrets/kubernetes.io/serviceaccount/token)token_path (str | None) – path to file containing authentication token to include in requests sent to Vault (for
tokenandgithubauth_type).gcp_key_path (str | None) – Path to Google Cloud Service Account key file (JSON) (for
gcpauth_type) Mutually exclusive with gcp_keyfile_dictgcp_scopes (str | None) – Comma-separated string containing OAuth2 scopes (for
gcpauth_type)azure_tenant_id (str | None) – The tenant id for the Azure Active Directory (for
azureauth_type)azure_resource (str | None) – The configured URL for the application registered in Azure Active Directory (for
azureauth_type)radius_host (str | None) – Host for radius (for
radiusauth_type)radius_port (int | None) – Port for radius (for
radiusauth_type)
- get_conn()[source]¶
Retrieve connection to Vault.
- Returns:
connection used.
- Return type:
hvac.Client
- get_secret(secret_path, secret_version=None)[source]¶
Get secret value from the engine.
- Parameters:
See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v1.html and https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.
- get_secret_metadata(secret_path)[source]¶
Read secret metadata (including versions) from the engine. It is only valid for KV version 2.
- Parameters:
secret_path (str) – Path to read from
- Returns:
secret metadata. This is a Dict containing metadata for the secret.
- Return type:
dict | None
See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.
- get_secret_including_metadata(secret_path, secret_version=None)[source]¶
Read secret including metadata. It is only valid for KV version 2.
See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.
- Parameters:
- Returns:
key info. This is a Dict with “data” mapping keeping secret and “metadata” mapping keeping metadata of the secret.
- Return type:
dict | None
- create_or_update_secret(secret_path, secret, method=None, cas=None)[source]¶
Create or updates secret.
- Parameters:
secret_path (str) – Path to read from
secret (dict) – Secret to create or update for the path specified
method (str | None) – Optional parameter to explicitly request a POST (create) or PUT (update) request to the selected kv secret engine. If no argument is provided for this parameter, hvac attempts to intelligently determine which method is appropriate. Only valid for KV engine version 1
cas (int | None) – Set the “cas” value to use a Check-And-Set operation. If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter. Only valid for KV engine version 2.
- Returns:
The response of the create_or_update_secret request.
- Return type:
See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v1.html and https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.