Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: Write to secrets store is not supported by design #37814

Merged
merged 3 commits into from
Mar 1, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions docs/apache-airflow-providers/core-extensions/secrets-backends.rst
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,24 @@ than from its own Database. While storing such information in Airflow's database
enterprise customers already have some secret managers storing secrets, and Airflow can tap into those
via providers that implement secrets backends for services Airflow integrates with.

.. note::

Secret Backend integration do not allow writes to the secret backend.
This is a design choice as normally secret stores require elevated permissions to write as it is a protected resource.
That means ``Variable.set(...)`` will write to the Airflow metastore even if you use secret backend.
If you need to update a value of a secret stored in the secret backend you must do it explicitly. That can be done
by using operator that writes to the secret backend of your choice.

.. warning::

If you have key ``foo`` in secret backend and you will do ``Variable.set(key='foo',...)`` it will create
Airflow Variable with key ``foo`` in the Airflow metastore. It means you will have 2 secrets with key ``foo``.
While this is possible, Airflow detects that this situation is likely wrong and output to the task log a warning that
explains while the write request is honored it will be ignored with the next read. The reason for this is when
executing ``Variable.get('foo')``, it will read the value from the secret backend. The value stored in Airflow
metastore will be ignored due to priority given to the secret backend.


You can also take a
look at Secret backends available in the core Airflow in
:doc:`apache-airflow:security/secrets/secrets-backend/index` and here you can see the ones
Expand Down