Update guide for Google Cloud Secret Manager Backend #10172
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -383,48 +383,75 @@ Note that the secret ``Key`` is ``value``, and secret ``Value`` is ``world`` and | |
|
|
||
| .. _secret_manager_backend: | ||
|
|
||
| Google Cloud Secret Manager Backend | ||
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
|
||
| This topic describes how to configure Airflow to use `Secret Manager <https://cloud.google.com/secret-manager/docs>`__ as | ||
| a secret bakcned and how to manage secrets. | ||
|
|
||
|
|
||
| Before you begin | ||
| """""""""""""""" | ||
|
|
||
| `Configure Secret Manager and your local environment <https://cloud.google.com/secret-manager/docs/configuring-secret-manager>`__, once per project. | ||
|
|
||
| Enabling the secret backend | ||
| """"""""""""""""""""""""""" | ||
|
|
||
| To enable the secret backend for Google Cloud Secrets Manager to retrieve connection/variables, | ||
| specify :py:class:`~airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend` | ||
|
There was a problem hiding this comment. This requires installing backport-operators. Maybe it's worth to mention that? There was a problem hiding this comment. Unfortunately, this is documentation for Airflow 2.0 where these packages don't work. We don't have documentation for Airflow 1.10 with backport packages. There was a problem hiding this comment. Backport Packages have their own documentation - - and I already have a mechanism to incorpoare some extra information in it - I will extract some of the useful GCP guides ther with the next wave of backport packages. The documentation is here: https://github.com/apache/airflow/tree/master/airflow/providers/google And when released it can be found in PyPI https://pypi.org/project/apache-airflow-backport-providers-google/2020.6.24/ |
||
| as the ``backend`` in ``[secrets]`` section of ``airflow.cfg``. | ||
|
|
||
| Here is a sample configuration if you want to use it: | ||
|
|
||
| .. code-block:: ini | ||
|
|
||
| [secrets] | ||
| backend = airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend | ||
|
|
||
| You can also set this with environment variables. | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| export AIRFLOW__SECRETS__BACKEND=airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend | ||
|
|
||
| You can verify the correct setting of the configuration options with the ``airflw config get-value`` command. | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| $ airflow config get-value secrets backend | ||
| airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend | ||
|
|
||
| Additionals options | ||
| """"""""""""""""""" | ||
|
|
||
| The next step is to configure additional configuration options using the ``backend_kwargs`` options. | ||
|
|
||
| * ``connections_prefix``: Specifies the prefix of the secret to read to get Connections. Default: ``"airflow-connections"`` | ||
| * ``variables_prefix``: Specifies the prefix of the secret to read to get Variables. Default: ``"airflow-variables"`` | ||
| * ``gcp_key_path``: Path to GCP Credential JSON file. | ||
| * ``gcp_keyfile_dict``: Dictionary of keyfile parameters. | ||
| * ``gcp_scopes``: Comma-separated string containing GCP scopes. | ||
| * ``sep``: Separator used to concatenate connections_prefix and conn_id. Default: "-" | ||
| * ``project_id``: Project ID. If not passed, the project ID from credentials will be used. | ||
|
|
||
| All options should be passed as a JSON dictionary. | ||
|
|
||
| For example, if you want to set parameter ``connections_prefix`` to ``"airflow-tenant-primary"`` and parameter ``variables_prefix`` to ``"variables_prefix"``, your configuration file should look like this: | ||
|
|
||
| .. code-block:: ini | ||
|
|
||
| [secrets] | ||
| backend = airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend | ||
| backend_kwargs = {"connections_prefix": "airflow-tenant-primary", "variables_prefix": "airflow-tenant-primary"} | ||
|
|
||
| Set-up credentials | ||
| """""""""""""""""" | ||
|
|
||
| You can configure the credentiaps in three ways: | ||
|
|
||
|
|
||
| * By default, Application Default Credentials (ADC) is used obtain credentials. | ||
| * ``gcp_key_path`` option in ``backend_kwargs`` option - allows you to configure authorizations with a service account stored in local file. | ||
| * ``gcp_keyfile_dict`` option in ``backend_kwargs`` option - allows you to configure authorizations with a service account stored in Airflow configuration. | ||
|
|
||
| .. note:: | ||
|
|
||
|
|
@@ -433,8 +460,43 @@ When ``gcp_key_path`` is not provided, it will use the Application Default Crede | |
| * `google.auth.default <https://google-auth.readthedocs.io/en/latest/reference/google.auth.html#google.auth.default>`__ | ||
| * `Setting Up Authentication for Server to Server Production Applications <https://cloud.google.com/docs/authentication/production>`__ | ||
|
|
||
| Managing a secrets | ||
|
|
||
| """""""""""""""""" | ||
|
|
||
| If you want to configure a connection, you need to save it as a :ref:`connection URI representation <generating_connection_uri>`. | ||
| Variables should be saved as plain text. | ||
|
|
||
| In order to manage secrets, you can use the ``gcloud`` tool or other supported tools. For more information, take a look at: | ||
| `Managing secrets <https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets>`__ in Google Cloud Documentation. | ||
|
|
||
| The name of the secret must fit the following formats: | ||
|
|
||
| * for variable: ``[connections_prefix][sep][variable_name]`` | ||
| * for connection: ``[variable_prefix][sep][connection_name]`` | ||
|
|
||
| where: | ||
|
|
||
| * ``connections_prefix`` - fixed value defined in the ``connections_prefix`` parameter in backend configuration. Default: ``airflow-connections``. | ||
| * ``variable_prefix`` - fixed value defined in the ``variable_prefix`` parameter in backend configuration. Default: ``airflow-variables``. | ||
| * ``sep`` - fixed value defined in the ``sep`` parameter in backend configuration. Default: ``-``. | ||
|
|
||
| The Cloud Secrets Manager secret name should follow the pattern ``[a-zA-Z0-9-_]``. | ||
|
|
||
| If you have the default backend configuration and you want to create a connection with ``conn_id`` | ||
| equals ``first-connection``, you should create secret named ``airflow-connections-first-connection``. | ||
| You can do it with the gcloud tools as in the example below. | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| echo "mysql://example.org" | gcloud beta secrets create airflow-connections-first-connection --data-file=- | ||
|
|
||
| If you have the default backend configuration and you want to create a variable named ``first-variable``, | ||
| you should create a secret named ``airflow-variables-first-variable``. You can do it with the gcloud | ||
| command as in the example below. | ||
|
|
||
| .. code-block:: bash | ||
|
|
||
| echo "content" | gcloud beta secrets create airflow-variables-first-variable --data-file=- | ||
|
|
||
| .. _roll_your_own_secrets_backend: | ||
|
|
||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add something what is the values used for like
"Project Id to read the secrets from. If not provided, thethe project ID from credentials id used"