potiuk edited a comment on issue #19251:
URL: https://github.com/apache/airflow/issues/19251#issuecomment-958968508
> If a variable is a secret/sensitive, why not store it in a connection? We
could add a new "generic" type of connection and then you can access it as `{{
conn.some_name.pass }}` etc. Using that approach then it would be a) clear if
something is sensitive or not (Variable: not sensitive, Connection: sensitive)
and then it's easy for an install to be configured to not pull variables from
the secrets store.
Just a comment from my side (as I was involved with a discussion including
our users - very much related). One problem with that is that some users do not
wan't (or can't - because their policies/tools limitaiton/shared secret
approach) store their secrets in the "connection URL form", and that would
force them to make airflow-specific format for secrets where they are using the
same secret accross different services not only airflow.
We have a very good example here recently (this comes from big, enterprise
user) https://github.com/apache/airflow/pull/19164 where corporate user
already has their secret service account encrypted in their secret backend and
rotated frequently automatically (and used by other services). This is perfect
case for "secret variables" but would not work if we use connections.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
