dstandish edited a comment on pull request #19857: URL: https://github.com/apache/airflow/pull/19857#issuecomment-980718633
@potiuk You don't necessary need to write a custom secrets backend in order to have secrets rotation. E.g. if you want to use aws secrets manager's built-in secrets rotation capabilities, the existing backend [now supports it](https://github.com/apache/airflow/pull/18764). and presumably with most of the backends we have, you could implement rotation with processes external to airflow. that example: > And the tools that the organisation has treats those two separately is that really all that common? i think i'm a bit skeptical that we should get more involved in secrets / connections management / rotation. i think it might be best to leave it to the external tools. and pulling _part_ of a connection from secrets backend and _another_ part of it from _another_ secrets backend... that could get confusing pretty quickly, particularly when considering the diversity in the structure of connections in airflow. e.g. it's not just `password` that might be "secret" and in need of rotation.. --- separately, what do you think of the general idea of this PR though? should i proceed with it you think? i think i would also like to add abilitity to load from cli using json instead of URI (i.e. putting json on same level as URI) and, ultimately i think it's best to deprecate airflow URI but that could be more controversial. already we have some secrets backends supporting json values, and we could continue to add support on a piecemeal basis, but i figure we should just make it first class citizen and standardize -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
