airflow.providers.microsoft.azure.secrets.key_vault¶
This module contains Azure Key Vault Backend.
Module Contents¶
Classes¶
Retrieves Airflow Connections or Variables from Azure Key Vault secrets. |
- class airflow.providers.microsoft.azure.secrets.key_vault.AzureKeyVaultBackend(connections_prefix='airflow-connections', variables_prefix='airflow-variables', config_prefix='airflow-config', vault_url='', sep='-', *, tenant_id='', client_id='', client_secret='', managed_identity_client_id='', workload_identity_tenant_id='', **kwargs)[source]¶
Bases:
airflow.secrets.BaseSecretsBackend,airflow.utils.log.logging_mixin.LoggingMixinRetrieves Airflow Connections or Variables from Azure Key Vault secrets.
The Azure Key Vault can be configured as a secrets backend in the
airflow.cfg:[secrets] backend = airflow.providers.microsoft.azure.secrets.key_vault.AzureKeyVaultBackend backend_kwargs = {"connections_prefix": "airflow-connections", "vault_url": "<azure_key_vault_uri>"}
For example, if the secrets prefix is
airflow-connections-smtp-default, this would be accessible if you provide{"connections_prefix": "airflow-connections"}and request conn_idsmtp-default. And if variables prefix isairflow-variables-hello, this would be accessible if you provide{"variables_prefix": "airflow-variables"}and request variable keyhello.For client authentication, the
DefaultAzureCredentialfrom the Azure Python SDK is used as credential provider, which supports service principal, managed identity and user credentialsFor example, to specify a service principal with secret you can set the environment variables
AZURE_TENANT_ID,AZURE_CLIENT_IDandAZURE_CLIENT_SECRET.See also
For more details on client authentication refer to the
DefaultAzureCredentialClass reference: https://docs.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python- Parameters
connections_prefix (str) – Specifies the prefix of the secret to read to get Connections If set to None (null), requests for connections will not be sent to Azure Key Vault
variables_prefix (str) – Specifies the prefix of the secret to read to get Variables If set to None (null), requests for variables will not be sent to Azure Key Vault
config_prefix (str) – Specifies the prefix of the secret to read to get Variables. If set to None (null), requests for configurations will not be sent to Azure Key Vault
vault_url (str) – The URL of an Azure Key Vault to use
sep (str) – separator used to concatenate secret_prefix and secret_id. Default: “-“
tenant_id (str) – The tenant id of an Azure Key Vault to use. If not given, it falls back to
DefaultAzureCredentialclient_id (str) – The client id of an Azure Key Vault to use. If not given, it falls back to
DefaultAzureCredentialmanaged_identity_client_id (str) – The client ID of a user-assigned managed identity. If provided with workload_identity_tenant_id, they’ll pass to
DefaultAzureCredential.workload_identity_tenant_id (str) – ID of the application’s Microsoft Entra tenant. Also called its “directory” ID. If provided with managed_identity_client_id, they’ll pass to
DefaultAzureCredential.
- get_conn_value(conn_id)[source]¶
Get a serialized representation of Airflow Connection from an Azure Key Vault secret.
- Parameters
conn_id (str) – The Airflow connection id to retrieve
- get_conn_uri(conn_id)[source]¶
Return URI representation of Connection conn_id.
As of Airflow version 2.3.0 this method is deprecated.
- static build_path(path_prefix, secret_id, sep='-')[source]¶
Given a path_prefix and secret_id, build a valid secret name for the Azure Key Vault Backend.
Also replaces underscore in the path with dashes to support easy switching between environment variables, so
connection_defaultbecomesconnection-default.