dstandish commented on a change in pull request #19859:
URL: https://github.com/apache/airflow/pull/19859#discussion_r758595096
##########
File path: docs/apache-airflow/security/secrets/secrets-backend/index.rst
##########
@@ -111,3 +111,19 @@ See :ref:`Configuration <secrets_backend_configuration>`
for more details, and :
If you are rolling your own secrets backend, you don't strictly need to
use airflow's URI format. But
doing so makes it easier to switch between environment variables, the
metastore, and your secrets backend.
+
+Adapt to non-Airflow compatible secret formats for connections
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The default implementation of Secret backend requires to use Airflow-specific
format of storing
+secrets for connections. Currently most community provided implementations
require the connections to
+be stored as URIs (with the possibility of adding more friendly formats in the
future)
+:doc:`apache-airflow-providers:core-extensions/secrets-backends`. However in
some cases it might be
+better solution for your organization to keep the credentials
(passwords/tokens etc) in other formats -
+for example when you want the same credentials to be used across multiple
clients or when you want to
+use built-in mechanism of rotating the credentials that do not work well with
the Airflow-specific format.
+Some of the secret backends provided by the community (for example
+:py:class:`~airflow.providers.amazon.aws.secrets.systems_manager.SystemsManagerParameterStoreBackend`
have
+mechanism where you can configure the retrieval in a flexible way, but others
might not provide that much of
+flexibility. In this case you should simply roll your own secret backend as
described in the previous chapter,
+possibly extending existing secret backend and adapt it to the scheme used by
your organization.
Review comment:
```suggestion
The default implementation of Secret backend requires use of an
Airflow-specific format of storing
secrets for connections. Currently most community provided implementations
require the connections to
be stored as URIs (with the possibility of adding more friendly formats in
the future)
:doc:`apache-airflow-providers:core-extensions/secrets-backends`. However
some organizations may prefer
to keep the credentials (passwords/tokens etc) in other formats --
for example when you want the same credentials to be used across multiple
clients, or when you want to
use built-in mechanism of rotating the credentials that do not work well
with the Airflow-specific format.
In this case you will need to roll your own secret backend as described in
the previous chapter,
possibly extending existing secret backend and adapt it to the scheme used
by your organization.
```
Mainly I have suggested removing the `Some of the secret backends provided
by the community...` paragraph because it's a bit unclear and its presence
makes it a little ambiguous which case is referred to in `In this case...`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
