potiuk edited a comment on issue #19251:
URL: https://github.com/apache/airflow/issues/19251#issuecomment-958968508
> If a variable is a secret/sensitive, why not store it in a connection? We
could add a new "generic" type of connection and then you can access it as `{{
conn.some_name.pass }}` etc. Using that approach then it would be a) clear if
something is sensitive or not (Variable: not sensitive, Connection: sensitive)
and then it's easy for an install to be configured to not pull variables from
the secrets store.
Just a comment from my side (as I was involved with a discussion including
our users - very much related). One problem with that is that some users do not
wan't (or can't - because their ) store their secrets in the "connection URL
form", and that would force them to make airflow-specific format for secrets
where they are using the same secret accross different services not only
airflow.
We have a very good example here recently (this comes from big, enterprise
user) https://github.com/apache/airflow/pull/19164 where corporate user
already have their secret service accounts encrypted in their secret backend
and rotated frequently automatically (and used by other services). This is
perfect case for "secret variables" but would not work if we use connections.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
