This is an automated email from the ASF dual-hosted git repository. ephraimanierobi pushed a commit to branch v2-8-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 8d42a47e986c80d3f8a7fb2d8912984e29105e02 Author: Elad Kalif <[email protected]> AuthorDate: Fri Mar 1 15:31:56 2024 +0200 docs: Write to secrets store is not supported by design (#37814) * docs: Write to secrets store is not supported by design * fix build docs * small clarification (cherry picked from commit f484cbe1d75286ba6e0a495f87d85984b5264cf1) --- .../core-extensions/secrets-backends.rst | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/apache-airflow-providers/core-extensions/secrets-backends.rst b/docs/apache-airflow-providers/core-extensions/secrets-backends.rst index 26ee3ce882..9aa2e7d367 100644 --- a/docs/apache-airflow-providers/core-extensions/secrets-backends.rst +++ b/docs/apache-airflow-providers/core-extensions/secrets-backends.rst @@ -26,6 +26,24 @@ than from its own Database. While storing such information in Airflow's database enterprise customers already have some secret managers storing secrets, and Airflow can tap into those via providers that implement secrets backends for services Airflow integrates with. +.. note:: + + Secret Backend integration do not allow writes to the secret backend. + This is a design choice as normally secret stores require elevated permissions to write as it is a protected resource. + That means ``Variable.set(...)`` will write to the Airflow metastore even if you use secret backend. + If you need to update a value of a secret stored in the secret backend you must do it explicitly. That can be done + by using operator that writes to the secret backend of your choice. + +.. warning:: + + If you have key ``foo`` in secret backend and you will do ``Variable.set(key='foo',...)`` it will create + Airflow Variable with key ``foo`` in the Airflow metastore. It means you will have 2 secrets with key ``foo``. + While this is possible, Airflow detects that this situation is likely wrong and output to the task log a warning that + explains while the write request is honored it will be ignored with the next read. The reason for this is when + executing ``Variable.get('foo')``, it will read the value from the secret backend. The value stored in Airflow + metastore will be ignored due to priority given to the secret backend. + + You can also take a look at Secret backends available in the core Airflow in :doc:`apache-airflow:security/secrets/secrets-backend/index` and here you can see the ones
