[GitHub] [airflow] dstandish commented on a change in pull request #6376: [AIRFLOW-5705] Add creds backend and support for AWS SSM

Sun, 08 Mar 2020 13:38:07 -0700 

dstandish commented on a change in pull request #6376: [AIRFLOW-5705] Add creds 
backend and support for AWS SSM
URL: https://github.com/apache/airflow/pull/6376#discussion_r389403075
 
 

 ##########
 File path: airflow/config_templates/default_airflow.cfg
 ##########
 @@ -248,6 +248,16 @@ dag_processor_manager_log_location = 
{AIRFLOW_HOME}/logs/dag_processor_manager/d
 # Default to use task handler.
 task_log_reader = task
 
+[creds_backend]
+# List of creds backend classes to use in order of desired search path
+class_list = 
airflow.creds.environment_variables.EnvironmentVariablesCredsBackend, 
airflow.creds.metastore.MetastoreCredsBackend
+
+# Use when using AWS SSM / 
airflow.providers.amazon.aws.creds.ssm.AwsSsmCredsBackend as creds provider
+# If prefix is ``/airflow``, then example param path is 
``/airflow/AIRFLOW_CONN_SMTP_DEFAULT``
+# Use same URI format as you would with env vars, or ``conn_uri`` CLI param.
+aws_ssm_prefix = /airflow
+aws_ssm_profile_name =
 
 Review comment:
   ok so (1) the other thought i had was basically this could be a one line 
config `creds_backend_config` under `[core]`.  then it would have a config like 
this (but one-line-ified):
   ```
   {
   "airflow.providers.amazon.aws.creds.ssm.AwsSsmCredsBackend": 
{"profile_name": "default", "ssm_prefix": "/my_airflow_creds"},
   "airflow.creds.environment_variables.EnvironmentVariablesCredsBackend": 
null, 
   "airflow.creds.metastore.MetastoreCredsBackend": null
   }
   ```
   so this would determine the search path _and_ provide all config options.
   
   is that kinda what you are thinking?
   
   or (2) are you just thinking that it is like this:
   ```
   [creds_backend]
   class_list = blah.class1, blah.class2  # this is the search path
   creds_backend_kwargs = {"this": "will", "be": "passed", "to": "all backends"}
   ```
   
   the problem with (2), is you can't specify which kwargs set will go to which 
backend (since we can support multiple simultaneously)
   
   the problem with (1) is it seems a bit unwieldy and more fiddly to work with 
so i thought it better to just use INI params with a prefix to "namespace" each 
backend.
   
   would you be happy with adding `google_kms_kwargs` under `[creds_backend]`?
   
   other ideas?
   
   
   
   
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to