Re: [PR] DOC multiple vault mount points [airflow]

Wed, 20 Dec 2023 01:24:54 -0800 


Taragolis commented on code in PR #36313:
URL: https://github.com/apache/airflow/pull/36313#discussion_r1432462853


##########
docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst:
##########
@@ -214,3 +214,31 @@ Add "verify": "absolute path to ca-certificate file"
     [secrets]
     backend = airflow.providers.hashicorp.secrets.vault.VaultBackend
     backend_kwargs = {"connections_path": "airflow-connections", 
"variables_path": null, "mount_point": "airflow", "url": 
"http://127.0.0.1:8200";, "verify": "/etc/ssl/certs/ca-certificates"}
+
+Using multiple mount points
+"""""""""""""""""""""""""""
+
+You can use multiple mount points to store your secrets. For example, you 
might want to store the Airflow instance configurations
+in one Vault KV engine only accessible by your Airflow deployment tools, while 
storing the variables and connections in another KV engine
+available to your DAGs, in order to grant them more specific Vault ACLs.
+
+In order to do this, you will need to setup you configuration this way:
+
+* leave ``mount_point`` as JSON ``null``
+* if you use ``variables_path`` and/or ``connections_path``, set them as 
``"mount_point/path/to/the/secrets"``
+  (the string will be split using the separator ``/``, the first element will 
be the mount point, the remaining
+  elements will be the path to the secrets)
+* leave ``config_path`` as the empty string ``""``
+* if you use ``config_path``, each configuration item will need to be prefixed 
with the ``mount_point`` used for configs,
+  as ``"mount_point/path/to/the/config"`` (here again, the string will be 
split using the separator ``/``, 

Review Comment:
   ```suggestion
     as ``"mount_point/path/to/the/config"`` (here again, the string will be 
split using the separator ``/``,
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to