[GitHub] [airflow] kaxil commented on a change in pull request #6376: [AIRFLOW-5705] Add creds backend and support for AWS SSM

Sun, 08 Mar 2020 13:48:12 -0700 

kaxil commented on a change in pull request #6376: [AIRFLOW-5705] Add creds 
backend and support for AWS SSM
URL: https://github.com/apache/airflow/pull/6376#discussion_r389403857
 
 

 ##########
 File path: airflow/config_templates/default_airflow.cfg
 ##########
 @@ -248,6 +248,16 @@ dag_processor_manager_log_location = 
{AIRFLOW_HOME}/logs/dag_processor_manager/d
 # Default to use task handler.
 task_log_reader = task
 
+[creds_backend]
+# List of creds backend classes to use in order of desired search path
+class_list = 
airflow.creds.environment_variables.EnvironmentVariablesCredsBackend, 
airflow.creds.metastore.MetastoreCredsBackend
+
+# Use when using AWS SSM / 
airflow.providers.amazon.aws.creds.ssm.AwsSsmCredsBackend as creds provider
+# If prefix is ``/airflow``, then example param path is 
``/airflow/AIRFLOW_CONN_SMTP_DEFAULT``
+# Use same URI format as you would with env vars, or ``conn_uri`` CLI param.
+aws_ssm_prefix = /airflow
+aws_ssm_profile_name =
 
 Review comment:
   What I think and this is just my opinion is that we should simplify it as 
follows:
   
   1) We don't have a search path and instead have a fixed Precedence and we 
support only 1 External Cred Backend
   2) The flow would be if the class_path for External Cred Backend is not 
None, a) use that, fallback to b) Environment Variable if connectin is not 
available in External Cred Backend and then c) Connection in Metadata DB
   
   Although this limits the feature as you won't be able to use multiple 
CredBackends but would we ever want to use multiple external backends ( I don't 
know)? I can definitely imagine the need of using more than 1 `ssm_prefix` but 
not sure of the former. 
   
   Would love to hear your opinion.
   
   ~Regarding the same topic, how would we support multiple ssm_prefix? i.e. 
let's say we have some secrets in `/my_airflow_creds_data_scientists` and 
`/my_airflow_creds_devops`?~  hmm.. maybe we don't need to support multiple 
ssm_prefix too 🤔 , Sysadmin/Devops can create a dedicated prefix for Airflow 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to