ContextQMD
Back to Airflow

Secret backends

providers-summary-docs/core-extensions/secrets-backends.rst

3.2.12.7 KB
Original Source

.. Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

.. http://www.apache.org/licenses/LICENSE-2.0

.. Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Secret backends

This is a summary of all Apache Airflow Community provided implementations of secret backends exposed via community-managed providers.

Airflow has the capability of reading connections, variables and configuration from Secret Backends rather than from its own Database. While storing such information in Airflow's database is possible, many of the enterprise customers already have some secret managers storing secrets, and Airflow can tap into those via providers that implement secrets backends for services Airflow integrates with.

.. note::

Secret Backend integration do not allow writes to the secret backend. This is a design choice as normally secret stores require elevated permissions to write as it is a protected resource. That means Variable.set(...) will write to the Airflow metastore even if you use secret backend. If you need to update a value of a secret stored in the secret backend you must do it explicitly. That can be done by using operator that writes to the secret backend of your choice.

.. warning::

If you have key foo in secret backend and you will do Variable.set(key='foo',...) it will create Airflow Variable with key foo in the Airflow metastore. It means you will have 2 secrets with key foo. While this is possible, Airflow detects that this situation is likely wrong and output to the task log a warning that explains while the write request is honored it will be ignored with the next read. The reason for this is when executing Variable.get('foo'), it will read the value from the secret backend. The value stored in Airflow metastore will be ignored due to priority given to the secret backend.

You can also take a look at Secret backends available in the core Airflow in :doc:apache-airflow:security/secrets/secrets-backend/index and here you can see the ones provided by the community-managed providers:

.. airflow-secrets-backends:: :tags: None :header-separator: "