alexbegg commented on a change in pull request #9639:
URL: https://github.com/apache/airflow/pull/9639#discussion_r452378087
##########
File path: airflow/providers/microsoft/azure/secrets/azure_key_vault.py
##########
@@ -0,0 +1,107 @@
+"""
+This module contains a secrets backend for Azure Key Vault.
+"""
+from typing import Optional
+
+from azure.identity import DefaultAzureCredential
+from azure.keyvault.secrets import SecretClient
+from azure.core.exceptions import ResourceNotFoundError
+from cached_property import cached_property
+
+from airflow.secrets import BaseSecretsBackend
+from airflow.utils.log.logging_mixin import LoggingMixin
+
+
+class AzureKeyVaultBackend(BaseSecretsBackend, LoggingMixin):
+ """
+ Retrieves Airflow Connections or Variables from Azure Key Vault secrets.
+
+ The Azure Key Vault can be configred as a secrets backend in the
``airflow.cfg``:
+
+ .. code-block:: ini
+
+ [secrets]
+ backend =
airflow.providers.microsoft.azure.secrets.azure_key_vault.AzureKeyVaultBackend
+ backend_kwargs = {"vault_url": "<azure_key_vault_uri>"}
+
+ For example, if the secrets prefix is
``airflow-connections-smtp-default``, this would be accessible
+ if you provide ``{"connections_prefix": "airflow-connections"}`` and
request conn_id ``smtp-default``.
+ And if variables prefix is ``airflow-variables-hello``, this would be
accessible
+ if you provide ``{"variables_prefix": "airflow-variables"}`` and request
variable key ``hello``.
+
+ :param vault_url: The URL of an Azure Key Vault to use
+ :type vault_url: str
+ :param connections_prefix: Specifies the prefix of the secret to read to
get Connections
+ :type connections_prefix: str
+ :param variables_prefix: Specifies the prefix of the secret to read to get
Variables
+ :type variables_prefix: str
+ :param sep: separator used to concatenate secret_prefix and secret_id.
Default: "-"
+ :type sep: str
+ """
+
+ def __init__(self, vault_url: str = None, connections_prefix: str =
'airflow-connections',
+ variables_prefix: str = 'airflow-variables', sep: str = '-',
**kwargs):
+ super().__init__(**kwargs)
+ self.connections_prefix = connections_prefix.rstrip(sep)
+ self.variables_prefix = variables_prefix.rstrip(sep)
+ self.vault_url = vault_url
+ self.sep = sep
+ self.kwargs = kwargs
+
+ @cached_property
+ def client(self):
+ """
+ Create a Azure Key Vault client.
+ """
+ credential = DefaultAzureCredential()
Review comment:
I was working on a PR for this too but I was not ready yet, however in
my case I used `ClientSecretCredential` from `azure.identity` instead and set
up the `backend_kwargs` to include `client_id`, `client_secret`, and
`tenant_id`. Would that be better?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
