[GitHub] [airflow] elwinarens commented on a change in pull request #9639: Add secrets backend for microsoft azure key vault
elwinarens commented on a change in pull request #9639:
URL: https://github.com/apache/airflow/pull/9639#discussion_r454221466
##
File path: airflow/providers/microsoft/azure/secrets/azure_key_vault.py
##
@@ -0,0 +1,131 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from typing import Optional
+
+from azure.core.exceptions import ResourceNotFoundError
+from azure.identity import DefaultAzureCredential
+from azure.keyvault.secrets import SecretClient
+from cached_property import cached_property
+
+from airflow.secrets import BaseSecretsBackend
+from airflow.utils.log.logging_mixin import LoggingMixin
+
+
+class AzureKeyVaultBackend(BaseSecretsBackend, LoggingMixin):
+"""
+Retrieves Airflow Connections or Variables from Azure Key Vault secrets.
+
+The Azure Key Vault can be configred as a secrets backend in the
``airflow.cfg``:
+
+.. code-block:: ini
+
+[secrets]
+backend =
airflow.providers.microsoft.azure.secrets.azure_key_vault.AzureKeyVaultBackend
+backend_kwargs = {"connections_prefix": "airflow-connections",
"vault_url": ""}
+
+For example, if the secrets prefix is
``airflow-connections-smtp-default``, this would be accessible
+if you provide ``{"connections_prefix": "airflow-connections"}`` and
request conn_id ``smtp-default``.
+And if variables prefix is ``airflow-variables-hello``, this would be
accessible
+if you provide ``{"variables_prefix": "airflow-variables"}`` and request
variable key ``hello``.
+
+:param vault_url: The URL of an Azure Key Vault to use
+:type vault_url: str
+:param connections_prefix: Specifies the prefix of the secret to read to
get Connections
+:type connections_prefix: str
+:param variables_prefix: Specifies the prefix of the secret to read to get
Variables
+:type variables_prefix: str
+:param sep: separator used to concatenate secret_prefix and secret_id.
Default: "-"
+:type sep: str
+"""
+
+def __init__(
+self,
+connections_prefix: str = 'airflow-connections',
+variables_prefix: str = 'airflow-variables',
+vault_url: str = '',
+sep: str = '-',
+**kwargs
+):
+super().__init__()
+self.vault_url = vault_url
+self.connections_prefix = connections_prefix.rstrip(sep)
+self.variables_prefix = variables_prefix.rstrip(sep)
+self.sep = sep
+self.kwargs = kwargs
+
+@cached_property
+def client(self):
+"""
+Create a Azure Key Vault client.
+"""
+credential = DefaultAzureCredential()
+client = SecretClient(
+vault_url=self.vault_url,
+credential=credential,
+**self.kwargs
+)
+return client
+
+def get_conn_uri(self, conn_id: str) -> Optional[str]:
+"""
+Get an Airflow Connection URI from an Azure Key Vault secret
+
+:param conn_id: The Airflow connection id to retrieve
+:type conn_id: str
+"""
+name = self.build_path(self.connections_prefix, conn_id, self.sep)
+return self.get_secret_value(name)
+
+def get_variable(self, key: str) -> Optional[str]:
+"""
+Get an Airflow Variable from an Azure Key Vault secret.
+
+:param key: Variable Key
+:type key: str
+:return: Variable Value
+"""
+name = self.build_path(self.variables_prefix, key, self.sep)
+return self.get_secret_value(name)
+
+@staticmethod
+def build_path(path_prefix: str, secret_id: str, sep: str = '-') -> str:
+"""
+Given a path_prefix and secret_id, build a valid secret name for the
Azure Key Vault Backend.
+Also replaces underscore in the path with dashes to support easy
switching between
+environmentvariables, so ``connection_default`` becomes
``connection-default``.
+
+:param path_prefix: The path prefix of the secret to retrieve
+:type path_prefix: str
+:param secret_id: Name of the secret
+:type secret_id: str
+:param sep: Separator used to concatenate path_prefix and secret_id
+:type sep: str
+"""
+
[GitHub] [airflow] elwinarens commented on a change in pull request #9639: Add secrets backend for microsoft azure key vault
elwinarens commented on a change in pull request #9639:
URL: https://github.com/apache/airflow/pull/9639#discussion_r452634688
##
File path: airflow/providers/microsoft/azure/secrets/azure_key_vault.py
##
@@ -0,0 +1,131 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+from typing import Optional
+
+from azure.core.exceptions import ResourceNotFoundError
+from azure.identity import DefaultAzureCredential
+from azure.keyvault.secrets import SecretClient
+from cached_property import cached_property
+
+from airflow.secrets import BaseSecretsBackend
+from airflow.utils.log.logging_mixin import LoggingMixin
+
+
+class AzureKeyVaultBackend(BaseSecretsBackend, LoggingMixin):
+"""
+Retrieves Airflow Connections or Variables from Azure Key Vault secrets.
+
+The Azure Key Vault can be configred as a secrets backend in the
``airflow.cfg``:
+
+.. code-block:: ini
+
+[secrets]
+backend =
airflow.providers.microsoft.azure.secrets.azure_key_vault.AzureKeyVaultBackend
+backend_kwargs = {"connections_prefix": "airflow-connections",
"vault_url": ""}
+
+For example, if the secrets prefix is
``airflow-connections-smtp-default``, this would be accessible
+if you provide ``{"connections_prefix": "airflow-connections"}`` and
request conn_id ``smtp-default``.
+And if variables prefix is ``airflow-variables-hello``, this would be
accessible
+if you provide ``{"variables_prefix": "airflow-variables"}`` and request
variable key ``hello``.
+
+:param vault_url: The URL of an Azure Key Vault to use
+:type vault_url: str
+:param connections_prefix: Specifies the prefix of the secret to read to
get Connections
+:type connections_prefix: str
+:param variables_prefix: Specifies the prefix of the secret to read to get
Variables
+:type variables_prefix: str
+:param sep: separator used to concatenate secret_prefix and secret_id.
Default: "-"
+:type sep: str
+"""
+
+def __init__(
+self,
+connections_prefix: str = 'airflow-connections',
+variables_prefix: str = 'airflow-variables',
+vault_url: str = '',
+sep: str = '-',
+**kwargs
+):
+super().__init__()
+self.vault_url = vault_url
+self.connections_prefix = connections_prefix.rstrip(sep)
+self.variables_prefix = variables_prefix.rstrip(sep)
+self.sep = sep
+self.kwargs = kwargs
+
+@cached_property
+def client(self):
+"""
+Create a Azure Key Vault client.
+"""
+credential = DefaultAzureCredential()
+client = SecretClient(
+vault_url=self.vault_url,
+credential=credential,
+**self.kwargs
+)
+return client
+
+def get_conn_uri(self, conn_id: str) -> Optional[str]:
+"""
+Get an Airflow Connection URI from an Azure Key Vault secret
+
+:param conn_id: The Airflow connection id to retrieve
+:type conn_id: str
+"""
+name = self.build_path(self.connections_prefix, conn_id, self.sep)
+return self.get_secret_value(name)
+
+def get_variable(self, key: str) -> Optional[str]:
+"""
+Get an Airflow Variable from an Azure Key Vault secret.
+
+:param key: Variable Key
+:type key: str
+:return: Variable Value
+"""
+name = self.build_path(self.variables_prefix, key, self.sep)
+return self.get_secret_value(name)
+
+@staticmethod
+def build_path(path_prefix: str, secret_id: str, sep: str = '-') -> str:
+"""
+Given a path_prefix and secret_id, build a valid secret name for the
Azure Key Vault Backend.
+Also replaces underscore in the path with dashes to support easy
switching between
+environmentvariables, so ``connection_default`` becomes
``connection-default``.
+
+:param path_prefix: The path prefix of the secret to retrieve
+:type path_prefix: str
+:param secret_id: Name of the secret
+:type secret_id: str
+:param sep: Separator used to concatenate path_prefix and secret_id
+:type sep: str
+"""
+
[GitHub] [airflow] elwinarens commented on a change in pull request #9639: Add secrets backend for microsoft azure key vault
elwinarens commented on a change in pull request #9639:
URL: https://github.com/apache/airflow/pull/9639#discussion_r452633694
##
File path: docs/howto/use-alternative-secrets-backend.rst
##
@@ -429,6 +429,39 @@ When ``gcp_key_path`` is not provided, it will use the
Application Default Crede
The value of the Secrets Manager secret id must be the :ref:`connection URI
representation `
of the connection object.
+Azure Key Vault Backend
+^^^
+
+To enable the Azure Key Vault as secrets backend, specify
:py:class:`~airflow.providers.microsoft.azure.secrets.azure_key_vault.AzureKeyVaultBackend`
+as the ``backend`` in ``[secrets]`` section of ``airflow.cfg``.
+
+Here is a sample configuration:
+
+.. code-block:: ini
+
+[secrets]
+backend =
airflow.providers.microsoft.azure.secrets.azure_key_vault.AzureKeyVaultBackend
+backend_kwargs = {"vault_url":
"https://example-akv-resource-name.vault.azure.net/;, "connections_prefix":
"airflow-connections", "variables_prefix": "airflow-variables"}
Review comment:
Nice eye for detail there!
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [airflow] elwinarens commented on a change in pull request #9639: Add secrets backend for microsoft azure key vault
elwinarens commented on a change in pull request #9639:
URL: https://github.com/apache/airflow/pull/9639#discussion_r449562999
##
File path: airflow/providers/microsoft/azure/secrets/azure_key_vault.py
##
@@ -0,0 +1,107 @@
+"""
+This module contains a secrets backend for Azure Key Vault.
+"""
+from typing import Optional
+
+from azure.identity import DefaultAzureCredential
+from azure.keyvault.secrets import SecretClient
+from azure.core.exceptions import ResourceNotFoundError
+from cached_property import cached_property
+
+from airflow.secrets import BaseSecretsBackend
+from airflow.utils.log.logging_mixin import LoggingMixin
+
+
+class AzureKeyVaultBackend(BaseSecretsBackend, LoggingMixin):
+"""
+Retrieves Airflow Connections or Variables from Azure Key Vault secrets.
+
+The Azure Key Vault can be configred as a secrets backend in the
``airflow.cfg``:
+
+.. code-block:: ini
+
+[secrets]
+backend =
airflow.providers.microsoft.azure.secrets.azure_key_vault.AzureKeyVaultBackend
+backend_kwargs = {"vault_url": ""}
+
+For example, if the secrets prefix is
``airflow-connections-smtp-default``, this would be accessible
+if you provide ``{"connections_prefix": "airflow-connections"}`` and
request conn_id ``smtp-default``.
+And if variables prefix is ``airflow-variables-hello``, this would be
accessible
+if you provide ``{"variables_prefix": "airflow-variables"}`` and request
variable key ``hello``.
+
+:param vault_url: The URL of an Azure Key Vault to use
+:type vault_url: str
+:param connections_prefix: Specifies the prefix of the secret to read to
get Connections
+:type connections_prefix: str
+:param variables_prefix: Specifies the prefix of the secret to read to get
Variables
+:type variables_prefix: str
+:param sep: separator used to concatenate secret_prefix and secret_id.
Default: "-"
+:type sep: str
+"""
+
+def __init__(self, vault_url: str = None, connections_prefix: str =
'airflow-connections',
+ variables_prefix: str = 'airflow-variables', sep: str = '-',
**kwargs):
+super().__init__(**kwargs)
+self.connections_prefix = connections_prefix.rstrip(sep)
+self.variables_prefix = variables_prefix.rstrip(sep)
+self.vault_url = vault_url
+self.sep = sep
+self.kwargs = kwargs
+
+@cached_property
+def client(self):
+"""
+Create a Azure Key Vault client.
+"""
+credential = DefaultAzureCredential()
Review comment:
More details
https://github.com/Azure/azure-sdk-for-python/tree/master/sdk/identity/azure-identity#defaultazurecredential
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
[GitHub] [airflow] elwinarens commented on a change in pull request #9639: Add secrets backend for microsoft azure key vault
elwinarens commented on a change in pull request #9639:
URL: https://github.com/apache/airflow/pull/9639#discussion_r449549782
##
File path: airflow/providers/microsoft/azure/secrets/azure_key_vault.py
##
@@ -0,0 +1,107 @@
+"""
+This module contains a secrets backend for Azure Key Vault.
+"""
+from typing import Optional
+
+from azure.identity import DefaultAzureCredential
+from azure.keyvault.secrets import SecretClient
+from azure.core.exceptions import ResourceNotFoundError
+from cached_property import cached_property
+
+from airflow.secrets import BaseSecretsBackend
+from airflow.utils.log.logging_mixin import LoggingMixin
+
+
+class AzureKeyVaultBackend(BaseSecretsBackend, LoggingMixin):
+"""
+Retrieves Airflow Connections or Variables from Azure Key Vault secrets.
+
+The Azure Key Vault can be configred as a secrets backend in the
``airflow.cfg``:
+
+.. code-block:: ini
+
+[secrets]
+backend =
airflow.providers.microsoft.azure.secrets.azure_key_vault.AzureKeyVaultBackend
+backend_kwargs = {"vault_url": ""}
+
+For example, if the secrets prefix is
``airflow-connections-smtp-default``, this would be accessible
+if you provide ``{"connections_prefix": "airflow-connections"}`` and
request conn_id ``smtp-default``.
+And if variables prefix is ``airflow-variables-hello``, this would be
accessible
+if you provide ``{"variables_prefix": "airflow-variables"}`` and request
variable key ``hello``.
+
+:param vault_url: The URL of an Azure Key Vault to use
+:type vault_url: str
+:param connections_prefix: Specifies the prefix of the secret to read to
get Connections
+:type connections_prefix: str
+:param variables_prefix: Specifies the prefix of the secret to read to get
Variables
+:type variables_prefix: str
+:param sep: separator used to concatenate secret_prefix and secret_id.
Default: "-"
+:type sep: str
+"""
+
+def __init__(self, vault_url: str = None, connections_prefix: str =
'airflow-connections',
+ variables_prefix: str = 'airflow-variables', sep: str = '-',
**kwargs):
+super().__init__(**kwargs)
+self.connections_prefix = connections_prefix.rstrip(sep)
+self.variables_prefix = variables_prefix.rstrip(sep)
+self.vault_url = vault_url
+self.sep = sep
+self.kwargs = kwargs
+
+@cached_property
+def client(self):
+"""
+Create a Azure Key Vault client.
+"""
+credential = DefaultAzureCredential()
Review comment:
Would you mind elaborating?
##
File path: airflow/providers/microsoft/azure/secrets/azure_key_vault.py
##
@@ -0,0 +1,107 @@
+"""
+This module contains a secrets backend for Azure Key Vault.
+"""
+from typing import Optional
+
+from azure.identity import DefaultAzureCredential
+from azure.keyvault.secrets import SecretClient
+from azure.core.exceptions import ResourceNotFoundError
+from cached_property import cached_property
+
+from airflow.secrets import BaseSecretsBackend
+from airflow.utils.log.logging_mixin import LoggingMixin
+
+
+class AzureKeyVaultBackend(BaseSecretsBackend, LoggingMixin):
+"""
+Retrieves Airflow Connections or Variables from Azure Key Vault secrets.
+
+The Azure Key Vault can be configred as a secrets backend in the
``airflow.cfg``:
+
+.. code-block:: ini
+
+[secrets]
+backend =
airflow.providers.microsoft.azure.secrets.azure_key_vault.AzureKeyVaultBackend
+backend_kwargs = {"vault_url": ""}
+
+For example, if the secrets prefix is
``airflow-connections-smtp-default``, this would be accessible
+if you provide ``{"connections_prefix": "airflow-connections"}`` and
request conn_id ``smtp-default``.
+And if variables prefix is ``airflow-variables-hello``, this would be
accessible
+if you provide ``{"variables_prefix": "airflow-variables"}`` and request
variable key ``hello``.
+
+:param vault_url: The URL of an Azure Key Vault to use
+:type vault_url: str
+:param connections_prefix: Specifies the prefix of the secret to read to
get Connections
+:type connections_prefix: str
+:param variables_prefix: Specifies the prefix of the secret to read to get
Variables
+:type variables_prefix: str
+:param sep: separator used to concatenate secret_prefix and secret_id.
Default: "-"
+:type sep: str
+"""
+
+def __init__(self, vault_url: str = None, connections_prefix: str =
'airflow-connections',
+ variables_prefix: str = 'airflow-variables', sep: str = '-',
**kwargs):
+super().__init__(**kwargs)
+self.connections_prefix = connections_prefix.rstrip(sep)
+self.variables_prefix = variables_prefix.rstrip(sep)
+self.vault_url = vault_url
+self.sep = sep
+self.kwargs = kwargs
+
+@cached_property
+def client(self):
+"""
+Create a Azure Key Vault client.
+
[GitHub] [airflow] elwinarens commented on a change in pull request #9639: Add secrets backend for microsoft azure key vault
elwinarens commented on a change in pull request #9639: URL: https://github.com/apache/airflow/pull/9639#discussion_r449549570 ## File path: tests/providers/microsoft/azure/secrets/test_azure_key_vault_backend.py ## @@ -0,0 +1,92 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +from unittest import TestCase, mock + +from moto import mock_secretsmanager Review comment: Nice catch, copy pasta from aws. Will fix. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
