From 31990d9b10893dcd1a8d9e119599b8c970233c71 Mon Sep 17 00:00:00 2001 From: Pankaj Date: Wed, 27 Mar 2024 19:41:19 +0530 Subject: [PATCH 01/13] Expose aws iam missing param in hashicorp secret --- .../hashicorp/_internal_client/vault_client.py | 17 +++++++++++++++++ airflow/providers/hashicorp/secrets/vault.py | 13 +++++++++++++ .../_internal_client/test_vault_client.py | 9 ++++++++- 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py index 5d0ef90afca13..8ded707ddf66b 100644 --- a/airflow/providers/hashicorp/_internal_client/vault_client.py +++ b/airflow/providers/hashicorp/_internal_client/vault_client.py @@ -73,7 +73,12 @@ class _VaultClient(LoggingMixin): :param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_types). :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type). :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types). + :param session_token: The AWS session token to use. Defaults to None., + :param header_value: additional header to mitigate replay attacks, potentially necessitating an argument + depending on AWS auth backend configuration. Defaults to None. :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types). + :param use_token: A flag indicating whether to use the token. Defaults to True., + :param region: The AWS region to use. Defaults to ``us-east-1`` :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type). :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default: ``/var/run/secrets/kubernetes.io/serviceaccount/token``). @@ -103,7 +108,11 @@ def __init__( password: str | None = None, key_id: str | None = None, secret_id: str | None = None, + session_token: str | None = None, + header_value: str | None = None, role_id: str | None = None, + use_token: bool = True, + region: str = "us-east-1", kubernetes_role: str | None = None, kubernetes_jwt_path: str | None = "/var/run/secrets/kubernetes.io/serviceaccount/token", gcp_key_path: str | None = None, @@ -160,7 +169,11 @@ def __init__( self.password = password self.key_id = key_id self.secret_id = secret_id + self.session_token = session_token + self.header_value = header_value self.role_id = role_id + self.use_token = use_token + self.region = region self.kubernetes_role = kubernetes_role self.kubernetes_jwt_path = kubernetes_jwt_path self.gcp_key_path = gcp_key_path @@ -322,7 +335,11 @@ def _auth_aws_iam(self, _client: hvac.Client) -> None: _client.auth.aws.iam_login( access_key=self.key_id, secret_key=self.secret_id, + session_token=self.session_token, + header_value=self.header_value, role=self.role_id, + use_token=self.use_token, + region=self.region, mount_point=self.auth_mount_point, ) else: diff --git a/airflow/providers/hashicorp/secrets/vault.py b/airflow/providers/hashicorp/secrets/vault.py index 348992a7f6949..c6cf31a724280 100644 --- a/airflow/providers/hashicorp/secrets/vault.py +++ b/airflow/providers/hashicorp/secrets/vault.py @@ -73,7 +73,12 @@ class VaultBackend(BaseSecretsBackend, LoggingMixin): :param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_type). :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type). :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types). + :param session_token: The AWS session token to use. Defaults to None., + :param header_value: additional header to mitigate replay attacks, potentially necessitating an argument + depending on AWS auth backend configuration. Defaults to None. :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types). + :param use_token: A flag indicating whether to use the token. Defaults to True., + :param region: The AWS region to use. Defaults to ``us-east-1`` :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type). :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default: ``/var/run/secrets/kubernetes.io/serviceaccount/token``). @@ -106,7 +111,11 @@ def __init__( password: str | None = None, key_id: str | None = None, secret_id: str | None = None, + session_token: str | None = None, + header_value: str | None = None, role_id: str | None = None, + use_token: bool = True, + region: str = "us-east-1", kubernetes_role: str | None = None, kubernetes_jwt_path: str = "/var/run/secrets/kubernetes.io/serviceaccount/token", gcp_key_path: str | None = None, @@ -146,7 +155,11 @@ def __init__( password=password, key_id=key_id, secret_id=secret_id, + session_token=session_token, + header_value=header_value, role_id=role_id, + use_token=use_token, + region=region, kubernetes_role=kubernetes_role, kubernetes_jwt_path=kubernetes_jwt_path, gcp_key_path=gcp_key_path, diff --git a/tests/providers/hashicorp/_internal_client/test_vault_client.py b/tests/providers/hashicorp/_internal_client/test_vault_client.py index 2973178e0a65c..a0ff4e0888676 100644 --- a/tests/providers/hashicorp/_internal_client/test_vault_client.py +++ b/tests/providers/hashicorp/_internal_client/test_vault_client.py @@ -148,7 +148,14 @@ def test_aws_iam_different_auth_mount_point(self, mock_hvac): client = vault_client.client mock_hvac.Client.assert_called_with(url="http://localhost:8180", session=None) client.auth.aws.iam_login.assert_called_with( - access_key="user", secret_key="pass", role="role", mount_point="other" + access_key="user", + secret_key="pass", + session_token=None, + header_value=None, + role="role", + use_token=True, + region="us-east-1", + mount_point="other", ) client.is_authenticated.assert_called_with() assert 2 == vault_client.kv_engine_version From 7e242ce64c17b7edd44f9c2449f61b5242251d3e Mon Sep 17 00:00:00 2001 From: Pankaj Date: Fri, 29 Mar 2024 01:11:54 +0530 Subject: [PATCH 02/13] Fix --- .../_internal_client/vault_client.py | 62 ++++++++++++++----- airflow/providers/hashicorp/provider.yaml | 1 + airflow/providers/hashicorp/secrets/vault.py | 11 ++-- generated/provider_dependencies.json | 1 + 4 files changed, 52 insertions(+), 23 deletions(-) diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py index 8ded707ddf66b..fa907ff62f109 100644 --- a/airflow/providers/hashicorp/_internal_client/vault_client.py +++ b/airflow/providers/hashicorp/_internal_client/vault_client.py @@ -73,12 +73,12 @@ class _VaultClient(LoggingMixin): :param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_types). :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type). :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types). - :param session_token: The AWS session token to use. Defaults to None., + :param arn_role: The Amazon Resource Name (ARN) of the role to assume, + :param federation_user: The name of the federated user :param header_value: additional header to mitigate replay attacks, potentially necessitating an argument depending on AWS auth backend configuration. Defaults to None. :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types). :param use_token: A flag indicating whether to use the token. Defaults to True., - :param region: The AWS region to use. Defaults to ``us-east-1`` :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type). :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default: ``/var/run/secrets/kubernetes.io/serviceaccount/token``). @@ -108,11 +108,11 @@ def __init__( password: str | None = None, key_id: str | None = None, secret_id: str | None = None, - session_token: str | None = None, + role_arn: str | None = None, + federation_user: str | None = None, header_value: str | None = None, role_id: str | None = None, use_token: bool = True, - region: str = "us-east-1", kubernetes_role: str | None = None, kubernetes_jwt_path: str | None = "/var/run/secrets/kubernetes.io/serviceaccount/token", gcp_key_path: str | None = None, @@ -169,11 +169,11 @@ def __init__( self.password = password self.key_id = key_id self.secret_id = secret_id - self.session_token = session_token + self.role_arn = role_arn + self.federation_user = federation_user self.header_value = header_value self.role_id = role_id self.use_token = use_token - self.region = region self.kubernetes_role = kubernetes_role self.kubernetes_jwt_path = kubernetes_jwt_path self.gcp_key_path = gcp_key_path @@ -331,19 +331,47 @@ def _auth_azure(self, _client: hvac.Client) -> None: ) def _auth_aws_iam(self, _client: hvac.Client) -> None: - if self.auth_mount_point: - _client.auth.aws.iam_login( - access_key=self.key_id, - secret_key=self.secret_id, - session_token=self.session_token, - header_value=self.header_value, - role=self.role_id, - use_token=self.use_token, - region=self.region, - mount_point=self.auth_mount_point, + import boto3 + + region = os.environ.get("AWS_REGION") or os.environ.get("AWS_DEFAULT_REGION") or "us-east-1" + + _client.auth.aws.configure( + access_key=self.key_id, secret_key=self.secret_id, endpoint=f"https://sts.{region}.amazonaws.com" + ) + + if self.role_arn: + sts_client = boto3.client( + "sts", aws_access_key_id=self.key_id, aws_secret_access_key=self.secret_id + ) + response = sts_client.assume_role(RoleArn=self.role_arn, RoleSessionName="your-session-name") + elif self.federation_user: + sts_client = boto3.client( + "sts", aws_access_key_id=self.key_id, aws_secret_access_key=self.secret_id ) + response = sts_client.get_federation_token(Name=self.federation_user) else: - _client.auth.aws.iam_login(access_key=self.key_id, secret_key=self.secret_id, role=self.role_id) + response = { + "Credentials": { + "AccessKeyId": self.key_id, + "SecretAccessKey": self.secret_id, + "SessionToken": None, + } + } + + login_args = { + "access_key": response["Credentials"]["AccessKeyId"], + "secret_key": response["Credentials"]["SecretAccessKey"], + "session_token": response["Credentials"]["SessionToken"], + "header_value": self.header_value, + "role": self.role_id, + "use_token": self.use_token, + "region": region, + } + + if self.auth_mount_point: + login_args["mount_point"] = self.auth_mount_point + + _client.auth.aws.iam_login(**login_args) def _auth_approle(self, _client: hvac.Client) -> None: if self.auth_mount_point: diff --git a/airflow/providers/hashicorp/provider.yaml b/airflow/providers/hashicorp/provider.yaml index 18e19e08537b4..97ba19c4eac13 100644 --- a/airflow/providers/hashicorp/provider.yaml +++ b/airflow/providers/hashicorp/provider.yaml @@ -55,6 +55,7 @@ versions: dependencies: - apache-airflow>=2.6.0 - hvac>=1.1.0 + - boto3>=1.33.0 integrations: - integration-name: Hashicorp Vault diff --git a/airflow/providers/hashicorp/secrets/vault.py b/airflow/providers/hashicorp/secrets/vault.py index c6cf31a724280..23266ba1e5705 100644 --- a/airflow/providers/hashicorp/secrets/vault.py +++ b/airflow/providers/hashicorp/secrets/vault.py @@ -73,12 +73,11 @@ class VaultBackend(BaseSecretsBackend, LoggingMixin): :param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_type). :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type). :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types). - :param session_token: The AWS session token to use. Defaults to None., + :param arn_role: The Amazon Resource Name (ARN) of the role to assume :param header_value: additional header to mitigate replay attacks, potentially necessitating an argument depending on AWS auth backend configuration. Defaults to None. :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types). :param use_token: A flag indicating whether to use the token. Defaults to True., - :param region: The AWS region to use. Defaults to ``us-east-1`` :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type). :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default: ``/var/run/secrets/kubernetes.io/serviceaccount/token``). @@ -111,11 +110,11 @@ def __init__( password: str | None = None, key_id: str | None = None, secret_id: str | None = None, - session_token: str | None = None, + role_arn: str | None = None, + federation_user: str | None = None, header_value: str | None = None, role_id: str | None = None, use_token: bool = True, - region: str = "us-east-1", kubernetes_role: str | None = None, kubernetes_jwt_path: str = "/var/run/secrets/kubernetes.io/serviceaccount/token", gcp_key_path: str | None = None, @@ -155,11 +154,11 @@ def __init__( password=password, key_id=key_id, secret_id=secret_id, - session_token=session_token, + role_arn=role_arn, + federation_user=federation_user, header_value=header_value, role_id=role_id, use_token=use_token, - region=region, kubernetes_role=kubernetes_role, kubernetes_jwt_path=kubernetes_jwt_path, gcp_key_path=gcp_key_path, diff --git a/generated/provider_dependencies.json b/generated/provider_dependencies.json index 6d88417d50143..2a50f5bdc5412 100644 --- a/generated/provider_dependencies.json +++ b/generated/provider_dependencies.json @@ -612,6 +612,7 @@ "hashicorp": { "deps": [ "apache-airflow>=2.6.0", + "boto3>=1.33.0", "hvac>=1.1.0" ], "devel-deps": [], From 6378557292fef32fee0a31838b047c3a663cba5f Mon Sep 17 00:00:00 2001 From: Pankaj Date: Fri, 29 Mar 2024 01:49:14 +0530 Subject: [PATCH 03/13] Fix --- airflow/providers/hashicorp/_internal_client/vault_client.py | 5 ++++- airflow/providers/hashicorp/secrets/vault.py | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py index fa907ff62f109..44d939c7fe006 100644 --- a/airflow/providers/hashicorp/_internal_client/vault_client.py +++ b/airflow/providers/hashicorp/_internal_client/vault_client.py @@ -73,6 +73,7 @@ class _VaultClient(LoggingMixin): :param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_types). :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type). :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types). + :param session_token: The AWS session token to use. Defaults to None. :param arn_role: The Amazon Resource Name (ARN) of the role to assume, :param federation_user: The name of the federated user :param header_value: additional header to mitigate replay attacks, potentially necessitating an argument @@ -108,6 +109,7 @@ def __init__( password: str | None = None, key_id: str | None = None, secret_id: str | None = None, + session_token: str | None = None, role_arn: str | None = None, federation_user: str | None = None, header_value: str | None = None, @@ -169,6 +171,7 @@ def __init__( self.password = password self.key_id = key_id self.secret_id = secret_id + self.session_token = session_token self.role_arn = role_arn self.federation_user = federation_user self.header_value = header_value @@ -354,7 +357,7 @@ def _auth_aws_iam(self, _client: hvac.Client) -> None: "Credentials": { "AccessKeyId": self.key_id, "SecretAccessKey": self.secret_id, - "SessionToken": None, + "SessionToken": self.session_token, } } diff --git a/airflow/providers/hashicorp/secrets/vault.py b/airflow/providers/hashicorp/secrets/vault.py index 23266ba1e5705..04a8cd8712697 100644 --- a/airflow/providers/hashicorp/secrets/vault.py +++ b/airflow/providers/hashicorp/secrets/vault.py @@ -73,6 +73,7 @@ class VaultBackend(BaseSecretsBackend, LoggingMixin): :param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_type). :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type). :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types). + :param session_token: The AWS session token to use. Defaults to None. :param arn_role: The Amazon Resource Name (ARN) of the role to assume :param header_value: additional header to mitigate replay attacks, potentially necessitating an argument depending on AWS auth backend configuration. Defaults to None. @@ -110,6 +111,7 @@ def __init__( password: str | None = None, key_id: str | None = None, secret_id: str | None = None, + session_token: str | None = None, role_arn: str | None = None, federation_user: str | None = None, header_value: str | None = None, @@ -154,6 +156,7 @@ def __init__( password=password, key_id=key_id, secret_id=secret_id, + session_token=session_token, role_arn=role_arn, federation_user=federation_user, header_value=header_value, From 0e82e20ffa0b59c1e42b513ca7bbdca8d377e459 Mon Sep 17 00:00:00 2001 From: Pankaj Date: Fri, 29 Mar 2024 01:53:42 +0530 Subject: [PATCH 04/13] Fix --- .../_internal_client/vault_client.py | 24 ++++++++----------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py index 44d939c7fe006..58c01b6743675 100644 --- a/airflow/providers/hashicorp/_internal_client/vault_client.py +++ b/airflow/providers/hashicorp/_internal_client/vault_client.py @@ -361,20 +361,16 @@ def _auth_aws_iam(self, _client: hvac.Client) -> None: } } - login_args = { - "access_key": response["Credentials"]["AccessKeyId"], - "secret_key": response["Credentials"]["SecretAccessKey"], - "session_token": response["Credentials"]["SessionToken"], - "header_value": self.header_value, - "role": self.role_id, - "use_token": self.use_token, - "region": region, - } - - if self.auth_mount_point: - login_args["mount_point"] = self.auth_mount_point - - _client.auth.aws.iam_login(**login_args) + _client.auth.aws.iam_login( + access_key=response["Credentials"]["AccessKeyId"], + secret_key=response["Credentials"]["SecretAccessKey"], + session_token=response["Credentials"]["SessionToken"], + header_value=self.header_value, + role=self.role_id, + use_token=self.use_token, + region=region, + mount_point=self.auth_mount_point, + ) def _auth_approle(self, _client: hvac.Client) -> None: if self.auth_mount_point: From 4d5b0e881682be87b10cc308b5ba3af5f9da9956 Mon Sep 17 00:00:00 2001 From: Pankaj Date: Thu, 4 Apr 2024 12:36:11 +0530 Subject: [PATCH 05/13] Use AWS connection --- .../_internal_client/vault_client.py | 70 +++++-------------- airflow/providers/hashicorp/provider.yaml | 2 +- airflow/providers/hashicorp/secrets/vault.py | 18 +---- generated/provider_dependencies.json | 3 +- 4 files changed, 25 insertions(+), 68 deletions(-) diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py index 58c01b6743675..5e253abb1072e 100644 --- a/airflow/providers/hashicorp/_internal_client/vault_client.py +++ b/airflow/providers/hashicorp/_internal_client/vault_client.py @@ -26,6 +26,7 @@ from requests.adapters import HTTPAdapter from urllib3.util import Retry +from airflow.providers.amazon.aws.hooks.base_aws import AwsGenericHook from airflow.utils.log.logging_mixin import LoggingMixin DEFAULT_KUBERNETES_JWT_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token" @@ -73,13 +74,8 @@ class _VaultClient(LoggingMixin): :param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_types). :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type). :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types). - :param session_token: The AWS session token to use. Defaults to None. - :param arn_role: The Amazon Resource Name (ARN) of the role to assume, - :param federation_user: The name of the federated user - :param header_value: additional header to mitigate replay attacks, potentially necessitating an argument - depending on AWS auth backend configuration. Defaults to None. :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types). - :param use_token: A flag indicating whether to use the token. Defaults to True., + :param aws_conn_id: AWS connection id (for ``aws_iam`` auth_type) :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type). :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default: ``/var/run/secrets/kubernetes.io/serviceaccount/token``). @@ -109,12 +105,8 @@ def __init__( password: str | None = None, key_id: str | None = None, secret_id: str | None = None, - session_token: str | None = None, - role_arn: str | None = None, - federation_user: str | None = None, - header_value: str | None = None, + aws_conn_id: str | None = None, role_id: str | None = None, - use_token: bool = True, kubernetes_role: str | None = None, kubernetes_jwt_path: str | None = "/var/run/secrets/kubernetes.io/serviceaccount/token", gcp_key_path: str | None = None, @@ -171,12 +163,8 @@ def __init__( self.password = password self.key_id = key_id self.secret_id = secret_id - self.session_token = session_token - self.role_arn = role_arn - self.federation_user = federation_user - self.header_value = header_value self.role_id = role_id - self.use_token = use_token + self.aws_conn_id = aws_conn_id self.kubernetes_role = kubernetes_role self.kubernetes_jwt_path = kubernetes_jwt_path self.gcp_key_path = gcp_key_path @@ -334,43 +322,23 @@ def _auth_azure(self, _client: hvac.Client) -> None: ) def _auth_aws_iam(self, _client: hvac.Client) -> None: - import boto3 - - region = os.environ.get("AWS_REGION") or os.environ.get("AWS_DEFAULT_REGION") or "us-east-1" - - _client.auth.aws.configure( - access_key=self.key_id, secret_key=self.secret_id, endpoint=f"https://sts.{region}.amazonaws.com" - ) - - if self.role_arn: - sts_client = boto3.client( - "sts", aws_access_key_id=self.key_id, aws_secret_access_key=self.secret_id + if self.key_id or self.secret_id or self.role_id: + _client.auth.aws.iam_login( + access_key=self.key_id, + secret_key=self.secret_id, + role=self.role_id, + mount_point=self.auth_mount_point, ) - response = sts_client.assume_role(RoleArn=self.role_arn, RoleSessionName="your-session-name") - elif self.federation_user: - sts_client = boto3.client( - "sts", aws_access_key_id=self.key_id, aws_secret_access_key=self.secret_id + elif self.aws_conn_id: + hook: AwsGenericHook = AwsGenericHook(aws_conn_id=self.aws_conn_id) + credential = hook.get_credentials() + _client.auth.aws.iam_login( + access_key=credential.access_key, + secret_key=credential.secret_key, + session_token=credential.token, + region=hook.region_name, + mount_point=self.auth_mount_point, ) - response = sts_client.get_federation_token(Name=self.federation_user) - else: - response = { - "Credentials": { - "AccessKeyId": self.key_id, - "SecretAccessKey": self.secret_id, - "SessionToken": self.session_token, - } - } - - _client.auth.aws.iam_login( - access_key=response["Credentials"]["AccessKeyId"], - secret_key=response["Credentials"]["SecretAccessKey"], - session_token=response["Credentials"]["SessionToken"], - header_value=self.header_value, - role=self.role_id, - use_token=self.use_token, - region=region, - mount_point=self.auth_mount_point, - ) def _auth_approle(self, _client: hvac.Client) -> None: if self.auth_mount_point: diff --git a/airflow/providers/hashicorp/provider.yaml b/airflow/providers/hashicorp/provider.yaml index 97ba19c4eac13..7f598a862662c 100644 --- a/airflow/providers/hashicorp/provider.yaml +++ b/airflow/providers/hashicorp/provider.yaml @@ -55,7 +55,7 @@ versions: dependencies: - apache-airflow>=2.6.0 - hvac>=1.1.0 - - boto3>=1.33.0 + - apache-airflow-providers-amazon>=8.0.0 integrations: - integration-name: Hashicorp Vault diff --git a/airflow/providers/hashicorp/secrets/vault.py b/airflow/providers/hashicorp/secrets/vault.py index 04a8cd8712697..70bd513fc3255 100644 --- a/airflow/providers/hashicorp/secrets/vault.py +++ b/airflow/providers/hashicorp/secrets/vault.py @@ -73,12 +73,8 @@ class VaultBackend(BaseSecretsBackend, LoggingMixin): :param password: Password for Authentication (for ``ldap`` and ``userpass`` auth_type). :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type). :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types). - :param session_token: The AWS session token to use. Defaults to None. - :param arn_role: The Amazon Resource Name (ARN) of the role to assume - :param header_value: additional header to mitigate replay attacks, potentially necessitating an argument - depending on AWS auth backend configuration. Defaults to None. :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types). - :param use_token: A flag indicating whether to use the token. Defaults to True., + :param aws_conn_id: AWS connection id, :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type). :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default: ``/var/run/secrets/kubernetes.io/serviceaccount/token``). @@ -111,12 +107,8 @@ def __init__( password: str | None = None, key_id: str | None = None, secret_id: str | None = None, - session_token: str | None = None, - role_arn: str | None = None, - federation_user: str | None = None, - header_value: str | None = None, role_id: str | None = None, - use_token: bool = True, + aws_conn_id: str | None = None, kubernetes_role: str | None = None, kubernetes_jwt_path: str = "/var/run/secrets/kubernetes.io/serviceaccount/token", gcp_key_path: str | None = None, @@ -156,12 +148,8 @@ def __init__( password=password, key_id=key_id, secret_id=secret_id, - session_token=session_token, - role_arn=role_arn, - federation_user=federation_user, - header_value=header_value, role_id=role_id, - use_token=use_token, + aws_conn_id=aws_conn_id, kubernetes_role=kubernetes_role, kubernetes_jwt_path=kubernetes_jwt_path, gcp_key_path=gcp_key_path, diff --git a/generated/provider_dependencies.json b/generated/provider_dependencies.json index 2a50f5bdc5412..7982b54a86f03 100644 --- a/generated/provider_dependencies.json +++ b/generated/provider_dependencies.json @@ -611,12 +611,13 @@ }, "hashicorp": { "deps": [ + "apache-airflow-providers-amazon>=8.0.0", "apache-airflow>=2.6.0", - "boto3>=1.33.0", "hvac>=1.1.0" ], "devel-deps": [], "cross-providers-deps": [ + "amazon", "google" ], "excluded-python-versions": [], From 552dc6e55b0a7c0afe787f37dca2b10d610847da Mon Sep 17 00:00:00 2001 From: Pankaj Date: Thu, 4 Apr 2024 14:12:03 +0530 Subject: [PATCH 06/13] Adjust tests --- .../hashicorp/_internal_client/test_vault_client.py | 10 ++-------- tests/providers/hashicorp/hooks/test_vault.py | 3 +++ 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/tests/providers/hashicorp/_internal_client/test_vault_client.py b/tests/providers/hashicorp/_internal_client/test_vault_client.py index a0ff4e0888676..b7b31c7917c7b 100644 --- a/tests/providers/hashicorp/_internal_client/test_vault_client.py +++ b/tests/providers/hashicorp/_internal_client/test_vault_client.py @@ -128,6 +128,7 @@ def test_aws_iam(self, mock_hvac): access_key="user", secret_key="pass", role="role", + mount_point=None, ) client.is_authenticated.assert_called_with() assert 2 == vault_client.kv_engine_version @@ -148,14 +149,7 @@ def test_aws_iam_different_auth_mount_point(self, mock_hvac): client = vault_client.client mock_hvac.Client.assert_called_with(url="http://localhost:8180", session=None) client.auth.aws.iam_login.assert_called_with( - access_key="user", - secret_key="pass", - session_token=None, - header_value=None, - role="role", - use_token=True, - region="us-east-1", - mount_point="other", + access_key="user", secret_key="pass", role="role", mount_point="other" ) client.is_authenticated.assert_called_with() assert 2 == vault_client.kv_engine_version diff --git a/tests/providers/hashicorp/hooks/test_vault.py b/tests/providers/hashicorp/hooks/test_vault.py index 1880be99749e6..7d40189c56955 100644 --- a/tests/providers/hashicorp/hooks/test_vault.py +++ b/tests/providers/hashicorp/hooks/test_vault.py @@ -315,6 +315,7 @@ def test_aws_iam_init_params(self, mock_hvac, mock_get_connection): access_key="user", secret_key="pass", role="role", + mount_point=None, ) test_client.is_authenticated.assert_called_with() assert 2 == test_hook.vault_client.kv_engine_version @@ -343,6 +344,7 @@ def test_aws_iam_dejson(self, mock_hvac, mock_get_connection): access_key="user", secret_key="pass", role="role", + mount_point=None, ) @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac") @@ -358,6 +360,7 @@ def test_aws_uri(self, mock_hvac): access_key="login", secret_key="pass", role="role", + mount_point=None, ) test_client.is_authenticated.assert_called_with() assert 2 == test_hook.vault_client.kv_engine_version From ea0f2a9d3421963e3af71be433487e110ce359e0 Mon Sep 17 00:00:00 2001 From: Pankaj Date: Sat, 13 Apr 2024 01:42:30 +0530 Subject: [PATCH 07/13] Apply review --- .../_internal_client/vault_client.py | 22 +++++++++---------- airflow/providers/hashicorp/provider.yaml | 7 +++++- airflow/providers/hashicorp/secrets/vault.py | 6 ++--- generated/provider_dependencies.json | 2 -- 4 files changed, 20 insertions(+), 17 deletions(-) diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py index 5e253abb1072e..7613413caedd7 100644 --- a/airflow/providers/hashicorp/_internal_client/vault_client.py +++ b/airflow/providers/hashicorp/_internal_client/vault_client.py @@ -26,7 +26,6 @@ from requests.adapters import HTTPAdapter from urllib3.util import Retry -from airflow.providers.amazon.aws.hooks.base_aws import AwsGenericHook from airflow.utils.log.logging_mixin import LoggingMixin DEFAULT_KUBERNETES_JWT_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token" @@ -75,7 +74,7 @@ class _VaultClient(LoggingMixin): :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type). :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types). :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types). - :param aws_conn_id: AWS connection id (for ``aws_iam`` auth_type) + :param arn_role: AWS arn role (for ``aws_iam`` auth_type) :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type). :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default: ``/var/run/secrets/kubernetes.io/serviceaccount/token``). @@ -105,7 +104,7 @@ def __init__( password: str | None = None, key_id: str | None = None, secret_id: str | None = None, - aws_conn_id: str | None = None, + arn_role: str | None = None, role_id: str | None = None, kubernetes_role: str | None = None, kubernetes_jwt_path: str | None = "/var/run/secrets/kubernetes.io/serviceaccount/token", @@ -164,7 +163,7 @@ def __init__( self.key_id = key_id self.secret_id = secret_id self.role_id = role_id - self.aws_conn_id = aws_conn_id + self.arn_role = arn_role self.kubernetes_role = kubernetes_role self.kubernetes_jwt_path = kubernetes_jwt_path self.gcp_key_path = gcp_key_path @@ -329,14 +328,15 @@ def _auth_aws_iam(self, _client: hvac.Client) -> None: role=self.role_id, mount_point=self.auth_mount_point, ) - elif self.aws_conn_id: - hook: AwsGenericHook = AwsGenericHook(aws_conn_id=self.aws_conn_id) - credential = hook.get_credentials() + elif self.arn_role: + import boto3 + + sts_client = boto3.client("sts") + temporary_credentials = sts_client.assume_role(RoleArn=self.arn_role, RoleSessionName="airflow") _client.auth.aws.iam_login( - access_key=credential.access_key, - secret_key=credential.secret_key, - session_token=credential.token, - region=hook.region_name, + access_key=temporary_credentials["Credentials"]["AccessKeyId"], + secret_key=temporary_credentials["Credentials"]["SecretAccessKey"], + session_token=temporary_credentials["Credentials"]["SessionToken"], mount_point=self.auth_mount_point, ) diff --git a/airflow/providers/hashicorp/provider.yaml b/airflow/providers/hashicorp/provider.yaml index 7f598a862662c..942b9ebde533e 100644 --- a/airflow/providers/hashicorp/provider.yaml +++ b/airflow/providers/hashicorp/provider.yaml @@ -55,7 +55,6 @@ versions: dependencies: - apache-airflow>=2.6.0 - hvac>=1.1.0 - - apache-airflow-providers-amazon>=8.0.0 integrations: - integration-name: Hashicorp Vault @@ -74,3 +73,9 @@ connection-types: secrets-backends: - airflow.providers.hashicorp.secrets.vault.VaultBackend + +additional-extras: + - name: boto3 + dependencies: + # Require for AWS assume role authentication + - boto3>=1.33.0 diff --git a/airflow/providers/hashicorp/secrets/vault.py b/airflow/providers/hashicorp/secrets/vault.py index 70bd513fc3255..d0aa49920c768 100644 --- a/airflow/providers/hashicorp/secrets/vault.py +++ b/airflow/providers/hashicorp/secrets/vault.py @@ -74,7 +74,7 @@ class VaultBackend(BaseSecretsBackend, LoggingMixin): :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type). :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types). :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types). - :param aws_conn_id: AWS connection id, + :param arn_role: AWS arn role, :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type). :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default: ``/var/run/secrets/kubernetes.io/serviceaccount/token``). @@ -108,7 +108,7 @@ def __init__( key_id: str | None = None, secret_id: str | None = None, role_id: str | None = None, - aws_conn_id: str | None = None, + arn_role: str | None = None, kubernetes_role: str | None = None, kubernetes_jwt_path: str = "/var/run/secrets/kubernetes.io/serviceaccount/token", gcp_key_path: str | None = None, @@ -149,7 +149,7 @@ def __init__( key_id=key_id, secret_id=secret_id, role_id=role_id, - aws_conn_id=aws_conn_id, + arn_role=arn_role, kubernetes_role=kubernetes_role, kubernetes_jwt_path=kubernetes_jwt_path, gcp_key_path=gcp_key_path, diff --git a/generated/provider_dependencies.json b/generated/provider_dependencies.json index 7982b54a86f03..6d88417d50143 100644 --- a/generated/provider_dependencies.json +++ b/generated/provider_dependencies.json @@ -611,13 +611,11 @@ }, "hashicorp": { "deps": [ - "apache-airflow-providers-amazon>=8.0.0", "apache-airflow>=2.6.0", "hvac>=1.1.0" ], "devel-deps": [], "cross-providers-deps": [ - "amazon", "google" ], "excluded-python-versions": [], From 536d0fe7daca70abaa3123a24ab96ae08aea5a4f Mon Sep 17 00:00:00 2001 From: Pankaj Date: Sat, 20 Apr 2024 19:14:29 +0530 Subject: [PATCH 08/13] Fix auth --- .../_internal_client/vault_client.py | 31 ++++++++++--------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py index 7613413caedd7..fe77ba499a843 100644 --- a/airflow/providers/hashicorp/_internal_client/vault_client.py +++ b/airflow/providers/hashicorp/_internal_client/vault_client.py @@ -321,24 +321,27 @@ def _auth_azure(self, _client: hvac.Client) -> None: ) def _auth_aws_iam(self, _client: hvac.Client) -> None: - if self.key_id or self.secret_id or self.role_id: - _client.auth.aws.iam_login( - access_key=self.key_id, - secret_key=self.secret_id, - role=self.role_id, - mount_point=self.auth_mount_point, - ) - elif self.arn_role: + if self.arn_role: import boto3 sts_client = boto3.client("sts") temporary_credentials = sts_client.assume_role(RoleArn=self.arn_role, RoleSessionName="airflow") - _client.auth.aws.iam_login( - access_key=temporary_credentials["Credentials"]["AccessKeyId"], - secret_key=temporary_credentials["Credentials"]["SecretAccessKey"], - session_token=temporary_credentials["Credentials"]["SessionToken"], - mount_point=self.auth_mount_point, - ) + auth_args = { + "access_key": temporary_credentials["Credentials"]["AccessKeyId"], + "secret_key": temporary_credentials["Credentials"]["SecretAccessKey"], + "session_token": temporary_credentials["Credentials"]["SessionToken"], + } + else: + auth_args = { + "access_key": self.key_id, + "secret_key": self.secret_id, + "role": self.role_id, + } + + if self.auth_mount_point: + auth_args["mount_point"] = self.auth_mount_point + + _client.auth.aws.iam_login(**auth_args) def _auth_approle(self, _client: hvac.Client) -> None: if self.auth_mount_point: From 67c384b0b965c4a7b20476593fd2c45665c6e967 Mon Sep 17 00:00:00 2001 From: Pankaj Date: Sat, 20 Apr 2024 21:06:07 +0530 Subject: [PATCH 09/13] Fix test --- .../providers/hashicorp/_internal_client/test_vault_client.py | 1 - tests/providers/hashicorp/hooks/test_vault.py | 3 --- 2 files changed, 4 deletions(-) diff --git a/tests/providers/hashicorp/_internal_client/test_vault_client.py b/tests/providers/hashicorp/_internal_client/test_vault_client.py index b7b31c7917c7b..2973178e0a65c 100644 --- a/tests/providers/hashicorp/_internal_client/test_vault_client.py +++ b/tests/providers/hashicorp/_internal_client/test_vault_client.py @@ -128,7 +128,6 @@ def test_aws_iam(self, mock_hvac): access_key="user", secret_key="pass", role="role", - mount_point=None, ) client.is_authenticated.assert_called_with() assert 2 == vault_client.kv_engine_version diff --git a/tests/providers/hashicorp/hooks/test_vault.py b/tests/providers/hashicorp/hooks/test_vault.py index 7d40189c56955..1880be99749e6 100644 --- a/tests/providers/hashicorp/hooks/test_vault.py +++ b/tests/providers/hashicorp/hooks/test_vault.py @@ -315,7 +315,6 @@ def test_aws_iam_init_params(self, mock_hvac, mock_get_connection): access_key="user", secret_key="pass", role="role", - mount_point=None, ) test_client.is_authenticated.assert_called_with() assert 2 == test_hook.vault_client.kv_engine_version @@ -344,7 +343,6 @@ def test_aws_iam_dejson(self, mock_hvac, mock_get_connection): access_key="user", secret_key="pass", role="role", - mount_point=None, ) @mock.patch("airflow.providers.hashicorp._internal_client.vault_client.hvac") @@ -360,7 +358,6 @@ def test_aws_uri(self, mock_hvac): access_key="login", secret_key="pass", role="role", - mount_point=None, ) test_client.is_authenticated.assert_called_with() assert 2 == test_hook.vault_client.kv_engine_version From ad1c59d2738380abb2d7cafb77014e0ef62a7d82 Mon Sep 17 00:00:00 2001 From: Pankaj Date: Sun, 21 Apr 2024 13:35:33 +0530 Subject: [PATCH 10/13] Add docs --- .../secrets-backends/hashicorp-vault.rst | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst b/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst index f5b8d4e9be47d..c0006099c77a2 100644 --- a/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst +++ b/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst @@ -217,6 +217,18 @@ Add "verify": "absolute path to ca-certificate file" backend = airflow.providers.hashicorp.secrets.vault.VaultBackend backend_kwargs = {"connections_path": "airflow-connections", "variables_path": null, "mount_point": "airflow", "url": "http://127.0.0.1:8200", "verify": "/etc/ssl/certs/ca-certificates"} +Vault authentication with AWS Assume Role STS +"""""""""""""""""""""""""""""""""""""""""""" + +Add parameter "arn_role": "The AWS ARN of the role to assume" + +.. code-block:: ini + + [secrets] + backend = airflow.providers.hashicorp.secrets.vault.VaultBackend + backend_kwargs = {"connections_path": "airflow-connections", "variables_path": null, "mount_point": "airflow", "url": "http://127.0.0.1:8200", "auth_type": "aws_iam", "arn_role": "arn:aws:iam::123456789000:role/hashicorp-aws-iam-role"} + + Using multiple mount points """"""""""""""""""""""""""" From cb82eed3d162c06d0ec9ea0d9073ae72e74c46dc Mon Sep 17 00:00:00 2001 From: Pankaj Date: Sun, 21 Apr 2024 13:37:22 +0530 Subject: [PATCH 11/13] Fix docs --- .../secrets-backends/hashicorp-vault.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst b/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst index c0006099c77a2..86360f01da3cd 100644 --- a/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst +++ b/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst @@ -218,7 +218,7 @@ Add "verify": "absolute path to ca-certificate file" backend_kwargs = {"connections_path": "airflow-connections", "variables_path": null, "mount_point": "airflow", "url": "http://127.0.0.1:8200", "verify": "/etc/ssl/certs/ca-certificates"} Vault authentication with AWS Assume Role STS -"""""""""""""""""""""""""""""""""""""""""""" +""""""""""""""""""""""""""""""""""""""""""""" Add parameter "arn_role": "The AWS ARN of the role to assume" From d7fb3bfe24685d33b627a804ef745cd6a2fb56fb Mon Sep 17 00:00:00 2001 From: Pankaj Date: Tue, 23 Apr 2024 01:07:45 +0530 Subject: [PATCH 12/13] Add session auth --- .../_internal_client/vault_client.py | 37 ++++++++++++------- airflow/providers/hashicorp/secrets/vault.py | 6 +-- .../secrets-backends/hashicorp-vault.rst | 2 +- 3 files changed, 27 insertions(+), 18 deletions(-) diff --git a/airflow/providers/hashicorp/_internal_client/vault_client.py b/airflow/providers/hashicorp/_internal_client/vault_client.py index fe77ba499a843..ffc338217a3a9 100644 --- a/airflow/providers/hashicorp/_internal_client/vault_client.py +++ b/airflow/providers/hashicorp/_internal_client/vault_client.py @@ -74,7 +74,7 @@ class _VaultClient(LoggingMixin): :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type). :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types). :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types). - :param arn_role: AWS arn role (for ``aws_iam`` auth_type) + :param role_arn: AWS arn role (for ``aws_iam`` auth_type) :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type). :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default: ``/var/run/secrets/kubernetes.io/serviceaccount/token``). @@ -104,7 +104,7 @@ def __init__( password: str | None = None, key_id: str | None = None, secret_id: str | None = None, - arn_role: str | None = None, + role_arn: str | None = None, role_id: str | None = None, kubernetes_role: str | None = None, kubernetes_jwt_path: str | None = "/var/run/secrets/kubernetes.io/serviceaccount/token", @@ -163,7 +163,7 @@ def __init__( self.key_id = key_id self.secret_id = secret_id self.role_id = role_id - self.arn_role = arn_role + self.role_arn = role_arn self.kubernetes_role = kubernetes_role self.kubernetes_jwt_path = kubernetes_jwt_path self.gcp_key_path = gcp_key_path @@ -321,22 +321,31 @@ def _auth_azure(self, _client: hvac.Client) -> None: ) def _auth_aws_iam(self, _client: hvac.Client) -> None: - if self.arn_role: - import boto3 - - sts_client = boto3.client("sts") - temporary_credentials = sts_client.assume_role(RoleArn=self.arn_role, RoleSessionName="airflow") - auth_args = { - "access_key": temporary_credentials["Credentials"]["AccessKeyId"], - "secret_key": temporary_credentials["Credentials"]["SecretAccessKey"], - "session_token": temporary_credentials["Credentials"]["SessionToken"], - } - else: + if self.key_id and self.secret_id: auth_args = { "access_key": self.key_id, "secret_key": self.secret_id, "role": self.role_id, } + else: + import boto3 + + if self.role_arn: + sts_client = boto3.client("sts") + credentials = sts_client.assume_role(RoleArn=self.role_arn, RoleSessionName="airflow") + auth_args = { + "access_key": credentials["Credentials"]["AccessKeyId"], + "secret_key": credentials["Credentials"]["SecretAccessKey"], + "session_token": credentials["Credentials"]["SessionToken"], + } + else: + session = boto3.Session() + credentials = session.get_credentials() + auth_args = { + "access_key": credentials.access_key, + "secret_key": credentials.secret_key, + "session_token": credentials.token, + } if self.auth_mount_point: auth_args["mount_point"] = self.auth_mount_point diff --git a/airflow/providers/hashicorp/secrets/vault.py b/airflow/providers/hashicorp/secrets/vault.py index d0aa49920c768..b29ae774612af 100644 --- a/airflow/providers/hashicorp/secrets/vault.py +++ b/airflow/providers/hashicorp/secrets/vault.py @@ -74,7 +74,7 @@ class VaultBackend(BaseSecretsBackend, LoggingMixin): :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type). :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types). :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types). - :param arn_role: AWS arn role, + :param role_arn: AWS arn role, :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type). :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default: ``/var/run/secrets/kubernetes.io/serviceaccount/token``). @@ -108,7 +108,7 @@ def __init__( key_id: str | None = None, secret_id: str | None = None, role_id: str | None = None, - arn_role: str | None = None, + role_arn: str | None = None, kubernetes_role: str | None = None, kubernetes_jwt_path: str = "/var/run/secrets/kubernetes.io/serviceaccount/token", gcp_key_path: str | None = None, @@ -149,7 +149,7 @@ def __init__( key_id=key_id, secret_id=secret_id, role_id=role_id, - arn_role=arn_role, + role_arn=role_arn, kubernetes_role=kubernetes_role, kubernetes_jwt_path=kubernetes_jwt_path, gcp_key_path=gcp_key_path, diff --git a/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst b/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst index 86360f01da3cd..8adfef6d0d4ea 100644 --- a/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst +++ b/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst @@ -226,7 +226,7 @@ Add parameter "arn_role": "The AWS ARN of the role to assume" [secrets] backend = airflow.providers.hashicorp.secrets.vault.VaultBackend - backend_kwargs = {"connections_path": "airflow-connections", "variables_path": null, "mount_point": "airflow", "url": "http://127.0.0.1:8200", "auth_type": "aws_iam", "arn_role": "arn:aws:iam::123456789000:role/hashicorp-aws-iam-role"} + backend_kwargs = {"connections_path": "airflow-connections", "variables_path": null, "mount_point": "airflow", "url": "http://127.0.0.1:8200", "auth_type": "aws_iam", "role_arn": "arn:aws:iam::123456789000:role/hashicorp-aws-iam-role"} Using multiple mount points From cf702808a278d640dd18c40167860e138b6b3e8d Mon Sep 17 00:00:00 2001 From: Pankaj Date: Wed, 24 Apr 2024 21:33:58 +0530 Subject: [PATCH 13/13] Fix docs --- .../secrets-backends/hashicorp-vault.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst b/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst index 8adfef6d0d4ea..3227b0ef58dea 100644 --- a/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst +++ b/docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst @@ -220,7 +220,7 @@ Add "verify": "absolute path to ca-certificate file" Vault authentication with AWS Assume Role STS """"""""""""""""""""""""""""""""""""""""""""" -Add parameter "arn_role": "The AWS ARN of the role to assume" +Add parameter "role_arn": "The AWS ARN of the role to assume" .. code-block:: ini