Expose AWS IAM missing param in Hashicorp secret #38536
Conversation
boring-cyborg
bot
added
area:providers
area:secrets
provider:hashicorp
pankajastro
force-pushed
the
fix_iam_auth
branch
from
c17f00f
to
58e7be9
Compare
pankajastro
force-pushed
the
fix_iam_auth
branch
from
58e7be9
to
0232640
Compare
pankajastro
requested review from
pankajkoti,
phanikumv,
Lee-W,
utkarsharma2 and
sunank200
pankajastro
force-pushed
the
fix_iam_auth
branch
2 times, most recently
from
28466a7
to
900e319
Compare
pankajastro
force-pushed
the
fix_iam_auth
branch
from
619c3c9
to
ad1c59d
Compare
docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst
Outdated
Show resolved
Hide resolved
|
|
||
| if self.role_arn: | ||
| sts_client = boto3.client("sts") | ||
| credentials = sts_client.assume_role(RoleArn=self.role_arn, RoleSessionName="airflow") |
There was a problem hiding this comment.
@pankajastro - we should consider exposing assume_role_kwargs as a backend_kwarg.
This is currently available as an AWS Connection Extra parameter.
There was a problem hiding this comment.
Could you please share an example of AIRFLOW__SECRETS__BACKEND_KWARGS?
There was a problem hiding this comment.
Please see the Request Syntax section for example kwargs.
I imagine it would be a dictionary that you would pass to AIRFLOW__SECRETS__BACKEND_KWARGS, like one does today in the AWS connection.
There was a problem hiding this comment.
wdyt #39279
AIRFLOW__SECRETS__BACKEND_KWARGS='{"kv_engine_version": 1, "mount_point": "kv", "variables_path": "airflow", "url": "http://127.0.0.0:8200/", "auth_type": "aws_iam", "assume_role_kwargs": {"RoleArn": "arn:aws:iam::1234567890000:role/hashicorp-aws-iam", "RoleSessionName": "airflow", "DurationSeconds": 900}}'
There was a problem hiding this comment.
Yes that looks good (assuming that it works). You wouldn't need a role_arn arg in this case.
There was a problem hiding this comment.
It's included in the assume_role_kwargs parameter. I've shared an example for reference ^^
There was a problem hiding this comment.
Agreed. I am saying you no longer need a dedicated role_arn backend kwarg. It would be a part of assume_role_kwargs.
* Expose aws iam missing param in hashicorp secret
Expose arn_role param in VaultBackend and add boto3 as an additional dependency. This will help authenticate with temporary credentials.
Also, expose auth with session cred if iam or static secret not provided
Example config
AIRFLOW__SECRETS__BACKEND_KWARGS='{"kv_engine_version": 1, "mount_point": "kv", "url": "http://35.161.42.91:8200/", "auth_type": "aws_iam", "arn_role": "arn:aws:iam::123456789000:role/hashicorp-aws-iam-role"}'
AIRFLOW__SECRETS__BACKEND_KWARGS='{"kv_engine_version": 1, "mount_point": "kv", "url": "http://35.161.42.91:8200/", "auth_type": "aws_iam"}'
Expose
arn_roleparam inVaultBackendand addboto3as an additional dependency. This will help authenticate with temporary credentials.Example config
Exposeaws_conn_idparam inVaultBackendand addapache-airflow-providers-amazonas dependencyThis PR expose below missing param in hashicorp secret for aws auth- session_token- header_value- use_token- regionhttps://github.com/hvac/hvac/blob/48027db42c037fe8f6b1c6fd8f6dbf80c1ea8595/hvac/api/auth_methods/aws.py#L734-L743
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in newsfragments.