[GitHub] [airflow] eshaingle opened a new issue #12331: Kubernetes Auth Type not working as VaultBackend in Airflow

Thu, 12 Nov 2020 22:50:23 -0800 


eshaingle opened a new issue #12331:
URL: https://github.com/apache/airflow/issues/12331


   I am integration Airflow with Vault using the VaultBackend provided under 
`airflow.contrib.secrets.hashicorp_vault.VaultBackend` or 
`airflow.providers.hashicorp.secrets.vault.VaultBackend`. I installed 
apache-airflow-backport-providers-hashicorp backport package as it has support 
for various auth types. 
   
   Vault & Airflow are installed inside minikube using helm charts.
   Vault version: 1.2.2
   Airflow version: 1.10.12-Python-3.6
   Minikube version: v1.14.2
   
   
   Then through DAG file, using KubernetesPodOperator, I simply run a pod to 
execute below curl :
   
   `passing = KubernetesPodOperator(namespace='default', 
                       service_account_name="vault-auth", image="alpine:3.7", 
                       cmds=["sh", "-cx"], arguments=["apk add curl && curl 
--request POST \ 
                       --data '{"'"jwt"'": "'"$(cat 
/var/run/secrets/kubernetes.io/serviceaccount/token)"'", "'"role"'": 
"'"example"'"}' \ 
                       http://${VAULT_ADDR}/v1/auth/kubernetes/login "], 
labels={"test-airflow": "firstversion"}, name="passing-test", 
                       task_id="passing-task", get_logs=True, dag=dag )`
   
   I received the vault token as client_token.
   
   I tried to connect vault through 2 methods. First using default token as 
auth type and passing above received token,
   
   `os.environ['AIRFLOW__SECRETS__BACKEND'] = 
"airflow.providers.hashicorp.secrets.vault.VaultBackend" 
os.environ['AIRFLOW__SECRETS__BACKEND_KWARGS'] = '{"connections_path": "myapp", 
"mount_point": "secret", "auth_type": "token", "token": "$TOKEN", "url": 
"http://vault:8200"}' `
   
   And second using kubernetes as auth type.
   
   `os.environ['AIRFLOW__SECRETS__BACKEND_KWARGS'] = '{"connections_path": 
"myapp", "auth_mount_point": "kubernetes", "mount_point": "secret", 
"auth_type": "kubernetes", "kubernetes_role": "example", 
"kubernetes_jwt_path":"/var/run/secrets/kubernetes.io/serviceaccount/token", 
"url": "http://vault:8200"}'`
   
   But for both it gives same error.
   
   `Error: File 
"/home/airflow/.local/lib/python3.6/site-packages/hvac/utils.py", line 47, in 
raise_for_error raise exceptions.InternalServerError(message, errors=errors, 
method=method, url=url) hvac.exceptions.InternalServerError: service account 
name not authorized, on post http://vault:8200/v1/auth/kubernetes/login`
   
   Please suggest a way to work out kubernetes auth login to access vault token 
in airflow.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to