Wilson Lian created AIRFLOW-2062:

             Summary: Support just-in-time decryption of Connection credentials 
in GoogleCloudBaseHook
                 Key: AIRFLOW-2062
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-2062
             Project: Apache Airflow
          Issue Type: Improvement
          Components: contrib
            Reporter: Wilson Lian

This entails adding a connection extra field to store a path to a GCP Cloud KMS 
cryptoKey to be used for decryption.

To avoid a chicken and egg problem, the cryptoKey must be accessible using 
application default credentials.

In the meantime, a workaround is to create a subclass of SubDagOperator in 
which the "business" task depends on a task that decrypts the key, places it 
into a temp file in shared storage, and sets up a new Airflow Connection 
referencing it; and afterwards another task deletes the temp file and Airflow 

This message was sent by Atlassian JIRA

Reply via email to