Re: [PR] Add JWT/OIDC authentication support to Hashicorp Vault provider [airflow]

Thu, 05 Feb 2026 01:42:44 -0800 


Lee-W commented on code in PR #61439:
URL: https://github.com/apache/airflow/pull/61439#discussion_r2768013383


##########
providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py:
##########
@@ -112,6 +115,9 @@ def __init__(
         region: str | None = None,
         kubernetes_role: str | None = None,
         kubernetes_jwt_path: str = 
"/var/run/secrets/kubernetes.io/serviceaccount/token",

Review Comment:
   same here



##########
providers/hashicorp/src/airflow/providers/hashicorp/hooks/vault.py:
##########
@@ -117,6 +122,9 @@ def __init__(
         region: str | None = None,
         kubernetes_role: str | None = None,
         kubernetes_jwt_path: str | None = None,
+        jwt_role: str | None = None,

Review Comment:
   same here



##########
providers/hashicorp/src/airflow/providers/hashicorp/_internal_client/vault_client.py:
##########
@@ -113,6 +119,9 @@ def __init__(
         region: str | None = None,
         kubernetes_role: str | None = None,
         kubernetes_jwt_path: str | None = 
"/var/run/secrets/kubernetes.io/serviceaccount/token",
+        jwt_role: str | None = None,
+        jwt_token: str | None = None,
+        jwt_token_path: str | None = DEFAULT_JWT_TOKEN_PATH,

Review Comment:
   ```suggestion
           *,
           jwt_role: str | None = None,
           jwt_token: str | None = None,
           jwt_token_path: str | None = DEFAULT_JWT_TOKEN_PATH,
   ```
   
   Let's place it after `radius_port` and make it a keyword-only argument. 
otherwise, it would be a breaking change



##########
providers/hashicorp/src/airflow/providers/hashicorp/hooks/vault.py:
##########
@@ -240,6 +256,19 @@ def _get_kubernetes_parameters_from_connection(
             kubernetes_role = 
self.connection.extra_dejson.get("kubernetes_role")
         return kubernetes_jwt_path, kubernetes_role
 
+    def _get_jwt_parameters_from_connection(
+        self, jwt_role: str | None, jwt_token: str | None, jwt_token_path: str 
| None
+    ) -> tuple[str | None, str | None, str | None]:
+        if not jwt_role:
+            jwt_role = self.connection.extra_dejson.get("jwt_role")
+        if not jwt_token:
+            jwt_token = self.connection.extra_dejson.get("jwt_token")
+        if not jwt_token_path:
+            jwt_token_path = self.connection.extra_dejson.get("jwt_token_path")
+            if not jwt_token_path:
+                jwt_token_path = DEFAULT_JWT_TOKEN_PATH

Review Comment:
   ```suggestion
               jwt_token_path = 
self.connection.extra_dejson.get("jwt_token_path") or DEFAULT_JWT_TOKEN_PATH
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to