airflow.providers.microsoft.azure.secrets.key_vault

This module contains Azure Key Vault Backend.

Module Contents

Classes

AzureKeyVaultBackend

Retrieves Airflow Connections or Variables from Azure Key Vault secrets.

class airflow.providers.microsoft.azure.secrets.key_vault.AzureKeyVaultBackend(connections_prefix='airflow-connections', variables_prefix='airflow-variables', config_prefix='airflow-config', vault_url='', sep='-', *, tenant_id='', client_id='', client_secret='', managed_identity_client_id='', workload_identity_tenant_id='', **kwargs)[source]

Bases: airflow.secrets.BaseSecretsBackend, airflow.utils.log.logging_mixin.LoggingMixin

Retrieves Airflow Connections or Variables from Azure Key Vault secrets.

The Azure Key Vault can be configured as a secrets backend in the airflow.cfg:

[secrets]
backend = airflow.providers.microsoft.azure.secrets.key_vault.AzureKeyVaultBackend
backend_kwargs = {"connections_prefix": "airflow-connections", "vault_url": "<azure_key_vault_uri>"}

For example, if the secrets prefix is airflow-connections-smtp-default, this would be accessible if you provide {"connections_prefix": "airflow-connections"} and request conn_id smtp-default. And if variables prefix is airflow-variables-hello, this would be accessible if you provide {"variables_prefix": "airflow-variables"} and request variable key hello.

For client authentication, the DefaultAzureCredential from the Azure Python SDK is used as credential provider, which supports service principal, managed identity and user credentials

For example, to specify a service principal with secret you can set the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_SECRET.

See also

For more details on client authentication refer to the DefaultAzureCredential Class reference: https://docs.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python

Parameters
  • connections_prefix (str) – Specifies the prefix of the secret to read to get Connections If set to None (null), requests for connections will not be sent to Azure Key Vault

  • variables_prefix (str) – Specifies the prefix of the secret to read to get Variables If set to None (null), requests for variables will not be sent to Azure Key Vault

  • config_prefix (str) – Specifies the prefix of the secret to read to get Variables. If set to None (null), requests for configurations will not be sent to Azure Key Vault

  • vault_url (str) – The URL of an Azure Key Vault to use

  • sep (str) – separator used to concatenate secret_prefix and secret_id. Default: “-“

  • tenant_id (str) – The tenant id of an Azure Key Vault to use. If not given, it falls back to DefaultAzureCredential

  • client_id (str) – The client id of an Azure Key Vault to use. If not given, it falls back to DefaultAzureCredential

  • managed_identity_client_id (str) – The client ID of a user-assigned managed identity. If provided with workload_identity_tenant_id, they’ll pass to DefaultAzureCredential.

  • workload_identity_tenant_id (str) – ID of the application’s Microsoft Entra tenant. Also called its “directory” ID. If provided with managed_identity_client_id, they’ll pass to DefaultAzureCredential.

client()[source]

Create a Azure Key Vault client.

get_conn_value(conn_id)[source]

Get a serialized representation of Airflow Connection from an Azure Key Vault secret.

Parameters

conn_id (str) – The Airflow connection id to retrieve

get_conn_uri(conn_id)[source]

Return URI representation of Connection conn_id.

As of Airflow version 2.3.0 this method is deprecated.

Parameters

conn_id (str) – the connection id

Returns

deserialized Connection

Return type

str | None

get_variable(key)[source]

Get an Airflow Variable from an Azure Key Vault secret.

Parameters

key (str) – Variable Key

Returns

Variable Value

Return type

str | None

get_config(key)[source]

Get Airflow Configuration.

Parameters

key (str) – Configuration Option Key

Returns

Configuration Option Value

Return type

str | None

static build_path(path_prefix, secret_id, sep='-')[source]

Given a path_prefix and secret_id, build a valid secret name for the Azure Key Vault Backend.

Also replaces underscore in the path with dashes to support easy switching between environment variables, so connection_default becomes connection-default.

Parameters
  • path_prefix (str) – The path prefix of the secret to retrieve

  • secret_id (str) – Name of the secret

  • sep (str) – Separator used to concatenate path_prefix and secret_id

Was this entry helpful?