mik-laj commented on issue #16684: URL: https://github.com/apache/airflow/issues/16684#issuecomment-870981955
> From what I know, Vault actually support secret templates that provide very flexible way of injecting the secrets: https://www.vaultproject.io/docs/platform/k8s/injector#secret-templates - and the question here is who should adapt and provide the "glue". We still need some glue, because the Vaultt Secret Template still only allows the secret to be saved to a file. You cannot set such a secret to an environment variable. ``` export AIRFLOW__CORE__SQL_ALCHEMY_CONN_CMD="cat /vault/secrets/<secret name>" ``` > For example I can imagine one can write a script to communicate with a secret manager where the "user/password" to the secret manager is embedded (and maybe obfuscated) in the script itself. There are many ways for the user to badly manage their passwords, whether they are read from a script or otherwise. Rather, we will not be able to protect against it, but we should show how to do it well, e.g. support passwords managed by the Vault Injector in our Helm Charrt. > maybe adding configuration to FileSystemBackend This can make the configuration even more difficult, because it means that we will have another Airflow configuration file in addition to `airflow.cfg`. Also, I'm not sure if this will actually simplify our configurations when we have to figure out how to write a template that generates the configurations to a single file that will be read by the secret backend and set up secret backend instead of just setting one envariable variable that contains one bash command - `cat /vault/secrets/<secret name>`. > BTW. I was not aware FileSystemBackend does not support configuration (other secret backends support it and it causes some pain in configuration class). Configuration support was added later and not every backend has to support this. We only added it when it made sense, and here it was minimal when we already had the airflow.cfg file with the configuration. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
