Description
In multi-team mode, Airflow passes team_name to the secrets backend when retrieving connections and variables (via get_conn_value, get_variable, and get_connection in BaseSecretsBackend). This allows backends to scope secrets per team — for example, by looking up parameters under a team-specific path prefix.
Currently, SystemsManagerParameterStoreBackend accepts team_name in its get_conn_value and get_variable signatures but completely ignores it. The team_name is never forwarded to _get_secret, so all teams resolve parameters from the same path regardless of team context.
Expected behavior
When team_name is provided, SystemsManagerParameterStoreBackend should incorporate it into the parameter lookup path. For example, with connections_prefix="/airflow/connections" and team_name="analytics", the backend could look up /airflow/connections/analytics/smtp_default instead of /airflow/connections/smtp_default.
When team_name is None (single-team mode or no team context), the behavior should remain unchanged ({prefix}/{secret_id}).
Current behavior
team_name is accepted in the method signatures but never used:
def get_conn_value(self, conn_id: str, team_name: str | None = None) -> str | None:
# team_name is ignored
return self._get_secret(self.connections_prefix, conn_id, self.connections_lookup_pattern)
def get_variable(self, key: str, team_name: str | None = None) -> str | None:
# team_name is ignored
return self._get_secret(self.variables_prefix, key, self.variables_lookup_pattern)What needs to change
-
Pass team_name to _get_secret — get_conn_value and get_variable should forward team_name to _get_secret.
-
Incorporate team_name into the parameter path — _get_secret (or build_path) should use team_name to construct a team-scoped path when provided.
-
Update tests to cover team-scoped parameter lookups.
Files likely to be modified
providers/amazon/src/airflow/providers/amazon/aws/secrets/systems_manager.pyproviders/amazon/tests/unit/amazon/aws/secrets/test_systems_manager.py
Related
This is the same gap as in SecretsManagerBackend (see companion issue for that backend).
Use case
Operators running Airflow in multi-team mode with AWS SSM Parameter Store cannot isolate parameters per team. All teams currently share the same parameter namespace, which prevents proper secret scoping in multi-team deployments.
Use case/motivation
No response
Related issues
No response
Are you willing to submit a PR?
Code of Conduct
Description
In multi-team mode, Airflow passes
team_nameto the secrets backend when retrieving connections and variables (viaget_conn_value,get_variable, andget_connectioninBaseSecretsBackend). This allows backends to scope secrets per team — for example, by looking up parameters under a team-specific path prefix.Currently,
SystemsManagerParameterStoreBackendacceptsteam_namein itsget_conn_valueandget_variablesignatures but completely ignores it. Theteam_nameis never forwarded to_get_secret, so all teams resolve parameters from the same path regardless of team context.Expected behavior
When
team_nameis provided,SystemsManagerParameterStoreBackendshould incorporate it into the parameter lookup path. For example, withconnections_prefix="/airflow/connections"andteam_name="analytics", the backend could look up/airflow/connections/analytics/smtp_defaultinstead of/airflow/connections/smtp_default.When
team_nameisNone(single-team mode or no team context), the behavior should remain unchanged ({prefix}/{secret_id}).Current behavior
team_nameis accepted in the method signatures but never used:What needs to change
Pass
team_nameto_get_secret—get_conn_valueandget_variableshould forwardteam_nameto_get_secret.Incorporate
team_nameinto the parameter path —_get_secret(orbuild_path) should useteam_nameto construct a team-scoped path when provided.Update tests to cover team-scoped parameter lookups.
Files likely to be modified
providers/amazon/src/airflow/providers/amazon/aws/secrets/systems_manager.pyproviders/amazon/tests/unit/amazon/aws/secrets/test_systems_manager.pyRelated
This is the same gap as in
SecretsManagerBackend(see companion issue for that backend).Use case
Operators running Airflow in multi-team mode with AWS SSM Parameter Store cannot isolate parameters per team. All teams currently share the same parameter namespace, which prevents proper secret scoping in multi-team deployments.
Use case/motivation
No response
Related issues
No response
Are you willing to submit a PR?
Code of Conduct