[
https://issues.apache.org/jira/browse/AIRFLOW-3669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16768502#comment-16768502
]
Micah Huff commented on AIRFLOW-3669:
-------------------------------------
[~wseaton] - have you defined / built this out yet at all? If not, I think we
should build out some more specs here to get an effort moving on this front.
I'd propose the following basic signature:
{code:java}
class HashiCorpVaultHook(BaseHook):
def __init__(self, vault_conn_id=""):
def get_conn(self):
'''
Connection.host would = vault address (https://vault.mycompany.com:8200/)
Connection.extras(json).vault_namespace =
"secret/environments/development/some_app_name"
Connection.extras(json).iam_auth_method = "aws|gcp|azure|[token]"
Connection.extras(json).iam_server_id = "vault.mycompany.com"
Connection.extras(json).vault_role_name = "my-vault-role"
'''
{code}
Documentation for the various auth methods I'm proposing are here:
* aws - [https://www.vaultproject.io/docs/auth/aws.html]
* gcp - [https://www.vaultproject.io/docs/auth/gcp.html]
* azure - [https://www.vaultproject.io/docs/auth/azure.html]
* token (sub-ideal) - [https://www.vaultproject.io/docs/auth/token.html]
That connection would leverage the server identity for either of the clouds by
looking at the instance profile, signing requests to vault, etc.
I would argue that it is probably sub-ideal to provide the Token auth method
for Airflow as storing a hashicorp vault key inside of airflow server config
only to have it be compromised is the opposite purpose of using Vault in the
first place. However, it could be offered as a means (where vault key is the
'password' in the connection) if we'd like to have that as a basic offering for
people that may not have the more advanced IAM configuration created yet.
> Add HashiCorp Vault hook
> ------------------------
>
> Key: AIRFLOW-3669
> URL: https://issues.apache.org/jira/browse/AIRFLOW-3669
> Project: Apache Airflow
> Issue Type: Improvement
> Components: hooks
> Reporter: Will Eaton
> Assignee: Will Eaton
> Priority: Major
> Labels: vault
>
> I'd like to propose a new {{contrib}} hook for interacting with HashiCorp's
> Vault.
> *Motivation:* Useful for teams who need access to secrets during the run-time
> of an operator that can't easily be stored as a default connection in the UI,
> eg. a Python operator getting a temporary token to access a web service.
> Airflow jobs can also be used to automate credential management, such as
> using database triggers to revoke a particular token.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
