From 04b2040520f502b537b51b19350fca5e04396afe Mon Sep 17 00:00:00 2001
From: Daniel Wolf <95075445+wolfdn@users.noreply.github.com>
Date: Tue, 19 May 2026 06:11:55 +0000
Subject: [PATCH 1/5] Fix error messages in PythonVirtualenvOperator when Azure
 Key Vault secret backend is configured

---
 .../providers/microsoft/azure/secrets/key_vault.py     | 10 ++++++++++
 .../unit/microsoft/azure/secrets/test_key_vault.py     | 10 ++++++++++
 providers/standard/docs/operators/python.rst           |  2 +-
 .../src/airflow/providers/standard/operators/python.py |  2 +-
 4 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/providers/microsoft/azure/src/airflow/providers/microsoft/azure/secrets/key_vault.py b/providers/microsoft/azure/src/airflow/providers/microsoft/azure/secrets/key_vault.py
index d47384df130c2..887c7e176a8bd 100644
--- a/providers/microsoft/azure/src/airflow/providers/microsoft/azure/secrets/key_vault.py
+++ b/providers/microsoft/azure/src/airflow/providers/microsoft/azure/secrets/key_vault.py
@@ -238,6 +238,16 @@ def _get_secret(self, path_prefix: str, secret_id: str, team_name: str | None =
     def _get_secret_value(self, path_prefix: str, secret_id: str) -> str | None:
         """Get an Azure Key Vault secret value for the given prefix and key."""
         name = self.build_path(path_prefix, secret_id, self.sep)
+        # Azure Key Vault secret names must be 1-127 characters, containing only 0-9, a-z, A-Z, and -.
+        # https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#object-identifiers
+        if not re.fullmatch(r"[0-9a-zA-Z-]{1,127}", name):
+            self.log.warning(
+                "Secret name %r is not valid. "
+                "Azure Key Vault secret names must be 1-127 characters long "
+                "and contain only alphanumeric characters and dashes.",
+                name,
+            )
+            return None
         try:
             secret = self.client.get_secret(name=name)
             return secret.value
diff --git a/providers/microsoft/azure/tests/unit/microsoft/azure/secrets/test_key_vault.py b/providers/microsoft/azure/tests/unit/microsoft/azure/secrets/test_key_vault.py
index 8e0078535dc8a..128d6d9aafb54 100644
--- a/providers/microsoft/azure/tests/unit/microsoft/azure/secrets/test_key_vault.py
+++ b/providers/microsoft/azure/tests/unit/microsoft/azure/secrets/test_key_vault.py
@@ -188,3 +188,13 @@ def test_client_authenticate_with_client_secret_credential(
         backend.client
         assert not mock_defaul_azure_credential.called
         mock_client_secret_credential.assert_called_once()
+
+    @mock.patch(f"{KEY_VAULT_MODULE}.AzureKeyVaultBackend.client")
+    def test_get_variable_returns_none_for_invalid_secret_name(self, mock_client):
+        """
+        Test that if the variable key produces an invalid Azure Key Vault secret name
+        (e.g. contains dots), the backend returns None without calling the API.
+        """
+        backend = AzureKeyVaultBackend()
+        assert backend.get_variable("SomeOperator.cache_key") is None
+        mock_client.get_secret.assert_not_called()
diff --git a/providers/standard/docs/operators/python.rst b/providers/standard/docs/operators/python.rst
index a87762c11cdf1..30f7151e55bef 100644
--- a/providers/standard/docs/operators/python.rst
+++ b/providers/standard/docs/operators/python.rst
@@ -257,7 +257,7 @@ different workers, it might happen that virtual environment are created on multi
 of the worker will drop the cache (assuming ``venv_cache_path`` is not on a persistent volume).
 
 In case you have problems during runtime with broken cached virtual environments, you can influence the cache directory hash by setting the Airflow variable
-``PythonVirtualenvOperator.cache_key`` to any text. The content of this variable is uses in the vector to calculate the cache directory key.
+``python_virtualenv_operator_cache_key`` to any text. The content of this variable is used in the vector to calculate the cache directory key.
 
 Note that any modification of a cached virtual environment (like temp files in binary path, post-installing further requirements) might pollute a cached virtual environment and the
 operator is not maintaining or cleaning the cache path.
diff --git a/providers/standard/src/airflow/providers/standard/operators/python.py b/providers/standard/src/airflow/providers/standard/operators/python.py
index eedd9a68ad0ec..fb058b924b6ca 100644
--- a/providers/standard/src/airflow/providers/standard/operators/python.py
+++ b/providers/standard/src/airflow/providers/standard/operators/python.py
@@ -954,7 +954,7 @@ def _calculate_cache_hash(self, exclude_cloudpickle: bool = False) -> tuple[str,
             "requirements_list": self._requirements_list(exclude_cloudpickle=exclude_cloudpickle),
             "pip_install_options": self.pip_install_options,
             "index_urls": self.index_urls,
-            "cache_key": str(Variable.get("PythonVirtualenvOperator.cache_key", "")),
+            "cache_key": str(Variable.get("python_virtualenv_operator_cache_key", "")),
             "python_version": self.python_version,
             "system_site_packages": self.system_site_packages,
         }

From 15d06cf522fa1ae70caa3c677d7917c3f32b05c4 Mon Sep 17 00:00:00 2001
From: Daniel Wolf <95075445+wolfdn@users.noreply.github.com>
Date: Tue, 19 May 2026 06:40:59 +0000
Subject: [PATCH 2/5] Update changelog

---
 providers/standard/docs/changelog.rst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/providers/standard/docs/changelog.rst b/providers/standard/docs/changelog.rst
index 04442623062a6..334fdd1fc464f 100644
--- a/providers/standard/docs/changelog.rst
+++ b/providers/standard/docs/changelog.rst
@@ -44,6 +44,11 @@ Features
 * ``Add run_after to TriggerDagRunOperator (#62259)``
 * ``Add partition_key to Context (#65359)``
 
+Misc
+~~~~
+
+* ``Rename default PythonVirtualenvOperator.cache_key variable to python_virtualenv_operator_cache_key (#67157)``
+
 .. Below changes are excluded from the changelog. Move them to
    appropriate section above if needed. Do not delete the lines(!):
    * ``Add explicit [tool.flit.sdist] sections to flit-based pyproject.tomls (#65861)``

From eef8f7378b5e6b3fee36898003bc28c9c1b45064 Mon Sep 17 00:00:00 2001
From: Daniel Wolf <95075445+wolfdn@users.noreply.github.com>
Date: Tue, 19 May 2026 06:49:20 +0000
Subject: [PATCH 3/5] Add warning to changelog

---
 providers/standard/docs/changelog.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/providers/standard/docs/changelog.rst b/providers/standard/docs/changelog.rst
index 334fdd1fc464f..a35c3cd213599 100644
--- a/providers/standard/docs/changelog.rst
+++ b/providers/standard/docs/changelog.rst
@@ -35,6 +35,13 @@
 Changelog
 ---------
 
+.. warning::
+  The Airflow variable used by ``PythonVirtualenvOperator`` to store the virtualenv cache hash
+  has been renamed from ``PythonVirtualenvOperator.cache_key`` to ``python_virtualenv_operator_cache_key``.
+  The old name contained a dot which is incompatible with secrets backends that restrict allowed
+  characters (e.g. Azure Key Vault). Cached virtual environments will be rebuilt once due to the
+  changed hash input.
+
 1.13.0
 ......
 

From 25965cfeb5cdf14b28b8134e2e3f82d86f34879f Mon Sep 17 00:00:00 2001
From: Daniel Wolf <95075445+wolfdn@users.noreply.github.com>
Date: Tue, 19 May 2026 06:51:18 +0000
Subject: [PATCH 4/5] Remove `misc` entry from changelog

---
 providers/standard/docs/changelog.rst | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/providers/standard/docs/changelog.rst b/providers/standard/docs/changelog.rst
index a35c3cd213599..97a515888aa4d 100644
--- a/providers/standard/docs/changelog.rst
+++ b/providers/standard/docs/changelog.rst
@@ -51,11 +51,6 @@ Features
 * ``Add run_after to TriggerDagRunOperator (#62259)``
 * ``Add partition_key to Context (#65359)``
 
-Misc
-~~~~
-
-* ``Rename default PythonVirtualenvOperator.cache_key variable to python_virtualenv_operator_cache_key (#67157)``
-
 .. Below changes are excluded from the changelog. Move them to
    appropriate section above if needed. Do not delete the lines(!):
    * ``Add explicit [tool.flit.sdist] sections to flit-based pyproject.tomls (#65861)``

From 288468c7830735367826e179b6855bea6b9c0e22 Mon Sep 17 00:00:00 2001
From: Daniel Wolf <95075445+wolfdn@users.noreply.github.com>
Date: Tue, 19 May 2026 06:55:22 +0000
Subject: [PATCH 5/5] Correct wording in warning message

---
 providers/standard/docs/changelog.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/providers/standard/docs/changelog.rst b/providers/standard/docs/changelog.rst
index 97a515888aa4d..b56884885cd98 100644
--- a/providers/standard/docs/changelog.rst
+++ b/providers/standard/docs/changelog.rst
@@ -36,7 +36,7 @@ Changelog
 ---------
 
 .. warning::
-  The Airflow variable used by ``PythonVirtualenvOperator`` to store the virtualenv cache hash
+  The Airflow variable used by ``PythonVirtualenvOperator`` to override the virtualenv cache hash
   has been renamed from ``PythonVirtualenvOperator.cache_key`` to ``python_virtualenv_operator_cache_key``.
   The old name contained a dot which is incompatible with secrets backends that restrict allowed
   characters (e.g. Azure Key Vault). Cached virtual environments will be rebuilt once due to the