[PR] Add gRPC timeout to Secret Manager `access_secret_version` call [airflow]

Tue, 17 Mar 2026 05:27:01 -0700 


evgeniy-b opened a new pull request, #63813:
URL: https://github.com/apache/airflow/pull/63813

   ## Summary
   
   `_SecretManagerClient.get_secret()` calls `access_secret_version()` with no 
`timeout` parameter, meaning the gRPC call has no deadline. If Secret
   Manager is slow or unreachable, the calling thread blocks **indefinitely**.
   
   This is particularly problematic in the triggerer, where Secret Manager 
calls run in the shared `sync_to_async` thread pool. A single stuck call can
   exhaust the pool, blocking all triggers — including non-Google ones.
   
   ### Changes
   
   - Add a 30s gRPC deadline (`timeout=30`) to the `access_secret_version` call 
in `_SecretManagerClient.get_secret()`
   - Catch `DeadlineExceeded` and re-raise as Python `TimeoutError` so callers 
can handle it with standard exception handling
   - Log a warning on timeout so operators can detect Secret Manager 
connectivity issues
   
   The `timeout` kwarg sets a gRPC deadline enforced at the C level inside 
grpc-core. When the deadline expires, grpc-core cancels the RPC and the thread
    unblocks with a `DeadlineExceeded` error — unlike Python-level timeouts 
which cannot interrupt threads blocked in C code.
   
   ### Why `TimeoutError` instead of returning `None`?
   
   Returning `None` would mean "secret doesn't exist," which is semantically 
wrong for a timeout — the secret may exist, we just couldn't reach it. The
   secrets backend framework in `Connection.get_connection_from_secrets()` 
already catches `Exception` and falls through to the next backend, so
   re-raising is safe and preserves the distinction.
   
   ---
   
   ##### Was generative AI tooling used to co-author this PR?
   
   - [X] Yes — Claude Opus 4.6
   
   Generated-by: Claude Opus 4.6 following [the
   
guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to