sjhewitt commented on a change in pull request #6376: [AIRFLOW-5705] Add
secrets backend and support for AWS SSM
URL: https://github.com/apache/airflow/pull/6376#discussion_r389820242
##########
File path: airflow/config_templates/default_airflow.cfg
##########
@@ -248,6 +248,16 @@ dag_processor_manager_log_location =
{AIRFLOW_HOME}/logs/dag_processor_manager/d
# Default to use task handler.
task_log_reader = task
+[creds_backend]
+# List of creds backend classes to use in order of desired search path
+class_list =
airflow.creds.environment_variables.EnvironmentVariablesCredsBackend,
airflow.creds.metastore.MetastoreCredsBackend
+
+# Use when using AWS SSM /
airflow.providers.amazon.aws.creds.ssm.AwsSsmCredsBackend as creds provider
+# If prefix is ``/airflow``, then example param path is
``/airflow/AIRFLOW_CONN_SMTP_DEFAULT``
+# Use same URI format as you would with env vars, or ``conn_uri`` CLI param.
+aws_ssm_prefix = /airflow
+aws_ssm_profile_name =
Review comment:
imo having a configurable search path is useful. We're in the middle of
migrating secrets from various config files to Vault, and having the ability to
query multiple backends will ease the transition. Add to that migrating our
current airflow secrets (where some are in the env and some are in the airflow
meta-db) to a Vault secrets backend, having a search path where we can just put
Vault at the front will make the change way easier.
that said, it would be possible to implement a custom secrets backend that
just searches a list of other secrets backends specific to our requirements.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
