Skip to content

Commit 032d33f

Browse files
kaxilkaxil
committed
fixup! fixup! fixup! fixup! fixup! fixup! Get Airflow configs with sensitive data from Secret Backends
1 parent 3b38109 commit 032d33f

File tree

2 files changed

+10
-6
lines changed

2 files changed

+10
-6
lines changed

airflow/configuration.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -281,11 +281,11 @@ def _get_env_var_option(self, section, key):
281281
if (section, key) in self.sensitive_config_values:
282282
return run_command(os.environ[env_var_cmd])
283283
# alternatively AIRFLOW__{SECTION}__{KEY}_SECRET (to get from Secrets Backend)
284-
env_var_cmd = env_var + '_SECRET'
285-
if env_var_cmd in os.environ:
286-
# if this is a valid command key...
284+
env_var_secret_path = env_var + '_SECRET'
285+
if env_var_secret_path in os.environ:
286+
# if this is a valid secret path...
287287
if (section, key) in self.sensitive_config_values:
288-
return _get_config_value_from_secret_backend(os.environ[env_var_cmd])
288+
return _get_config_value_from_secret_backend(os.environ[env_var_secret_path])
289289

290290
def _get_cmd_option(self, section, key):
291291
fallback_key = key + '_cmd'

docs/howto/set-config.rst

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,9 @@ the key like this:
5353
5454
[core]
5555
sql_alchemy_conn_secret = sql_alchemy_conn
56+
# You can also add a nested path
57+
# example:
58+
# sql_alchemy_conn_secret = core/sql_alchemy_conn
5659
5760
This will retrieve config option from Secret Backends e.g Hashicorp Vault. See
5861
:ref:`Secrets Backends<secrets_backend_configuration>` for more details.
@@ -87,8 +90,9 @@ The idea behind this is to not store passwords on boxes in plain text files.
8790

8891
The universal order of precedence for all configuration options is as follows:
8992

90-
#. set as an environment variable
91-
#. set as a command environment variable
93+
#. set as an environment variable (``AIRFLOW__CORE__SQL_ALCHEMY_CONN``)
94+
#. set as a command environment variable (``AIRFLOW__CORE__SQL_ALCHEMY_CONN_CMD``)
95+
#. set as a secret environment variable (``AIRFLOW__CORE__SQL_ALCHEMY_CONN_SECRET``)
9296
#. set in ``airflow.cfg``
9397
#. command in ``airflow.cfg``
9498
#. secret key in ``airflow.cfg``

0 commit comments

Comments
 (0)