Description
In multi-team mode, Airflow passes team_name to the secrets backend when retrieving connections and variables (via get_conn_value, get_variable, and get_connection in BaseSecretsBackend). This allows backends to scope secrets per team — for example, by looking up secrets under a team-specific path prefix.
Currently, SecretsManagerBackend accepts team_name in its get_conn_value and get_variable signatures but completely ignores it. The team_name is never forwarded to _get_secret, so all teams resolve secrets from the same path regardless of team context.
Expected behavior
When team_name is provided, SecretsManagerBackend should incorporate it into the secret lookup path. For example, with connections_prefix="airflow/connections" and team_name="analytics", the backend could look up airflow/connections/analytics/smtp_default instead of airflow/connections/smtp_default.
The exact path convention is an implementation decision, but a reasonable approach would be to insert the team name between the prefix and the secret ID:
{prefix}/{team_name}/{secret_id}
When team_name is None (single-team mode or no team context), the behavior should remain unchanged ({prefix}/{secret_id}).
Current behavior
team_name is accepted in the method signatures but never used:
def get_conn_value(self, conn_id: str, team_name: str | None = None) -> str | None:
# team_name is ignored
secret = self._get_secret(self.connections_prefix, conn_id, self.connections_lookup_pattern)
...
def get_variable(self, key: str, team_name: str | None = None) -> str | None:
# team_name is ignored
return self._get_secret(self.variables_prefix, key, self.variables_lookup_pattern)What needs to change
-
Pass team_name to _get_secret — get_conn_value and get_variable should forward team_name to _get_secret.
-
Incorporate team_name into the secret path — _get_secret (or build_path) should use team_name to construct a team-scoped path when provided.
-
Update tests to cover team-scoped secret lookups.
Files likely to be modified
providers/amazon/src/airflow/providers/amazon/aws/secrets/secrets_manager.pyproviders/amazon/tests/unit/amazon/aws/secrets/test_secrets_manager.py
Note
The same gap exists in SystemsManagerParameterStoreBackend (providers/amazon/src/airflow/providers/amazon/aws/secrets/systems_manager.py) and in other provider secrets backends (Google Secret Manager, Azure Key Vault, HashiCorp Vault, Yandex Lockbox, Kubernetes). Those could be addressed in follow-up issues.
Use case
Operators running Airflow in multi-team mode with AWS Secrets Manager cannot isolate secrets per team. All teams currently share the same secret namespace, which prevents proper secret scoping in multi-team deployments.
Use case/motivation
No response
Related issues
No response
Are you willing to submit a PR?
Code of Conduct
Description
In multi-team mode, Airflow passes
team_nameto the secrets backend when retrieving connections and variables (viaget_conn_value,get_variable, andget_connectioninBaseSecretsBackend). This allows backends to scope secrets per team — for example, by looking up secrets under a team-specific path prefix.Currently,
SecretsManagerBackendacceptsteam_namein itsget_conn_valueandget_variablesignatures but completely ignores it. Theteam_nameis never forwarded to_get_secret, so all teams resolve secrets from the same path regardless of team context.Expected behavior
When
team_nameis provided,SecretsManagerBackendshould incorporate it into the secret lookup path. For example, withconnections_prefix="airflow/connections"andteam_name="analytics", the backend could look upairflow/connections/analytics/smtp_defaultinstead ofairflow/connections/smtp_default.The exact path convention is an implementation decision, but a reasonable approach would be to insert the team name between the prefix and the secret ID:
When
team_nameisNone(single-team mode or no team context), the behavior should remain unchanged ({prefix}/{secret_id}).Current behavior
team_nameis accepted in the method signatures but never used:What needs to change
Pass
team_nameto_get_secret—get_conn_valueandget_variableshould forwardteam_nameto_get_secret.Incorporate
team_nameinto the secret path —_get_secret(orbuild_path) should useteam_nameto construct a team-scoped path when provided.Update tests to cover team-scoped secret lookups.
Files likely to be modified
providers/amazon/src/airflow/providers/amazon/aws/secrets/secrets_manager.pyproviders/amazon/tests/unit/amazon/aws/secrets/test_secrets_manager.pyNote
The same gap exists in
SystemsManagerParameterStoreBackend(providers/amazon/src/airflow/providers/amazon/aws/secrets/systems_manager.py) and in other provider secrets backends (Google Secret Manager, Azure Key Vault, HashiCorp Vault, Yandex Lockbox, Kubernetes). Those could be addressed in follow-up issues.Use case
Operators running Airflow in multi-team mode with AWS Secrets Manager cannot isolate secrets per team. All teams currently share the same secret namespace, which prevents proper secret scoping in multi-team deployments.
Use case/motivation
No response
Related issues
No response
Are you willing to submit a PR?
Code of Conduct