Skip to content

Add regional support for google secret manager hook #52124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 1, 2025
Merged

Add regional support for google secret manager hook #52124

merged 4 commits into from
Jul 1, 2025
+166 −17

Conversation

harikrishna12524
Copy link
Contributor

Added support for regional secrets in google secret manager

Google secret provider was lacking support for storing regional secrets which was supported by Google Cloud Secrets, changes were made to add this functionality.

Changes :

  • Added a constructor for taking location_id optional property.
  • Changes client getter to initialize SecretManagerServiceClient based on whether location_id is provided or not.
  • Added methods _get_parent, _get_secret_path and _get_secret_version_path as helper methods to build the path with or without location_id based on parameters.
  • Added location_id parameter to methods create_secret, add_secret_version, list_secrets, secret_exists, access_secret and delete_secret for handling regional secrets.

closes: #49709

This is my first commit, so I am unsure if my approaches for the changes are correct. So, I haven't changes the tests completely. Please review my approach once, and I will make required changes to the provider and tests.

@boring-cyborg boring-cyborg
Copy link

boring-cyborg bot commented Jun 24, 2025

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst)
Here are some useful points:

  • Pay attention to the quality of your code (ruff, mypy and type annotations). Our pre-commits will help you with that.
  • In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
  • Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
  • Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
  • Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
  • Be sure to read the Airflow Coding style.
  • Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
    Apache Airflow is a community-driven project and together we are making it better 🚀.
    In case of doubts contact the developers at:
    Mailing List: [email protected]
    Slack: https://s.apache.org/airflow-slack

@boring-cyborg boring-cyborg bot added area:providers provider:google Google (including GCP) related issues labels Jun 24, 2025
MaksYermak
MaksYermak suggested changes Jun 24, 2025
View reviewed changes
MaksYermak
MaksYermak reviewed Jun 26, 2025
View reviewed changes
Copy link
Contributor

@MaksYermak MaksYermak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Could I ask you to provide a screenshot of this regional secret created successfully on Google Cloud?

@harikrishna12524
Copy link
Contributor Author

@MaksYermak

I have removed the comment as suggested. I have attached snippet that I used for testing and screen shot from google secret manager.

Regional secret testcases

I have created regional secret with this below code in dag file.

''' Creating a regional secret '''
hook = GoogleCloudSecretManagerHook(gcp_conn_id="gcp_connection_default", location="europe-west8")
hook.create_secret(secret_id="airflow_test_same_id", location="europe-west8")
print("Regional secret created.")

created-regional-secret
create-regional-secret-detail

Created regional secret version

''' Creating regional secret version '''
hook = GoogleCloudSecretManagerHook(gcp_conn_id="gcp_connection_default", location="europe-west8")
secret_version = hook.add_secret_version(secret_id="airflow_test_same_id", location="europe-west8", secret_payload={"data" : "Password:PermTesting@1234".encode("utf-8")})
print("Regional secret version.")

create-regional-secret-version

Listing regional secrets

''' Listing regional secrets '''
hook = GoogleCloudSecretManagerHook(gcp_conn_id="gcp_connection_default", location="europe-west8" )
secret_version = hook.list_secrets()
for secret in secret_version:
    print(secret.name)
print("Listing Regional secrets.")

listing-regional-secret-logs
created-regional-secret

Checking regional secret exists

''' Checking regional secret exists '''
hook = GoogleCloudSecretManagerHook(gcp_conn_id="gcp_connection_default", location="europe-west8")
secret_exists = hook.secret_exists(secret_id="hari_non_existing", location="europe-west8")
print("hari_non_existing : Secret Exists." + str(secret_exists))
secret_exists = hook.secret_exists(secret_id="airflow_test_same_id", location="europe-west8")
print("airflow_test_same_id : Secret Exists." + str(secret_exists))

secret-exists-regional

Accessing regional secret

hook = GoogleCloudSecretManagerHook(gcp_conn_id="gcp_connection_default", location="europe-west8")
secret_exists = hook.access_secret(secret_id="airflow_test_same_id", secret_version="1")
print("Secret value." + str(secret_exists))

access-regional-secret

I deleted the created regional secret with this below code

hook = GoogleCloudSecretManagerHook(gcp_conn_id="gcp_connection_default", location="europe-west8")
secret_exists = hook.delete_secret(secret_id="airflow_test_same_id", location="europe-west8")
print("Secret Deleted." + str(secret_exists))

delete-regional-secret

Normal secret testcases

I created normal secrets via this below code

''' Creating a normal secret . '''
hook = GoogleCloudSecretManagerHook(gcp_conn_id="gcp_connection_default")
hook.create_secret(secret_id="airflow_test_normal_secret")
print("Normal secret created.")

create-normal-secret

Create normal secret version

''' Creating normal secret version '''
hook = GoogleCloudSecretManagerHook(gcp_conn_id="gcp_connection_default")
secret_version = hook.add_secret_version(secret_id="airflow_test_normal_secret", secret_payload={"data" : "Password:Thrown@asdf".encode("utf-8")})
print("Normal secret version.")

create-normal-secret-version

Listing normal secrets

''' Listing normal secrets '''
hook = GoogleCloudSecretManagerHook(gcp_conn_id="gcp_connection_default")
secret_version = hook.list_secrets()
for secret in secret_version:
    print(secret.name)
print("Listing normal secrets.")

listing-normal-secrets
listing-normal-secret-sm

Checking normal secret exists

''' Normal secret exists '''
hook = GoogleCloudSecretManagerHook(gcp_conn_id="gcp_connection_default")
secret_exists = hook.secret_exists(secret_id="hari_non_existing")
print("hari_non_existing : Secret Exists." + str(secret_exists))
secret_exists = hook.secret_exists(secret_id="airflow_test_normal_secret")
print("airflow_test_normal_secret : Secret Exists." + str(secret_exists))

secret-exists-normal

Access normal secret

''' Accessing normal secret version '''
hook = GoogleCloudSecretManagerHook(gcp_conn_id="gcp_connection_default")
secret_exists = hook.access_secret(secret_id="airflow_test_normal_secret", secret_version="1")
print("Secret value." + str(secret_exists))

access-secret-normal

Delete normal secret

''' delete normal secret '''
hook = GoogleCloudSecretManagerHook(gcp_conn_id="gcp_connection_default")
secret_exists = hook.delete_secret(secret_id="airflow_test_same_id")
print("Secret Deleted." + str(secret_exists))

Delete secret

source-trust-me-bro-meme

A decent meme for the trouble you went through...
ab61280a6dd6209d6165838d8f44fac9

@harikrishna12524 harikrishna12524 force-pushed the feature/regional-support-in-google-cloud-secret-1 branch 2 times, most recently from df4f10c to ecebf7c Compare June 29, 2025 03:24
@potiuk
Copy link
Member

potiuk commented Jun 30, 2025

static checks failing

@harikrishna12524 harikrishna12524 force-pushed the feature/regional-support-in-google-cloud-secret-1 branch from ecebf7c to ff82321 Compare July 1, 2025 03:08
@potiuk potiuk merged commit f9a1224 into apache:main Jul 1, 2025
74 checks passed
@boring-cyborg boring-cyborg
Copy link

boring-cyborg bot commented Jul 1, 2025

Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@potiuk potiuk potiuk approved these changes

@MaksYermak MaksYermak MaksYermak approved these changes

Assignees
No one assigned
Labels
area:providers provider:google Google (including GCP) related issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add Support for Regionally-Scoped Secrets for Google Cloud Secrets Manager Backend
3 participants
@harikrishna12524 @potiuk @MaksYermak