Skip to content

Comments

Add JWT/OIDC authentication support to Hashicorp Vault provider#61439

Merged
jason810496 merged 30 commits intoapache:mainfrom
piotrlinski:feature/hashicorp-vault-jwt-auth
Feb 9, 2026
Merged

Add JWT/OIDC authentication support to Hashicorp Vault provider#61439
jason810496 merged 30 commits intoapache:mainfrom
piotrlinski:feature/hashicorp-vault-jwt-auth

Conversation

@piotrlinski
Copy link
Contributor

@piotrlinski piotrlinski commented Feb 4, 2026
edited
Loading

This adds JWT/OIDC authentication method support to the Hashicorp Vault provider, enabling token-less authentication through identity federation.

Key features:

  • New 'jwt' auth_type for VaultClient, VaultHook, and VaultBackend
  • Support for jwt_token parameter or automatic token retrieval from jwt_path
  • Configurable jwt_role for Vault role binding
  • Full backwards compatibility with existing auth methods

Use cases enabled:

  • Kubernetes workload identity with projected service account tokens
  • Cloud provider identity (AWS IAM roles, GCP Workload Identity, Azure AD)
  • CI/CD pipelines (GitHub Actions OIDC, GitLab CI)
  • External identity providers (Auth0, Okta, Keycloak)
Was generative AI tooling used to co-author this PR?
  • Yes (please specify the tool below)
  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@piotrlinski @claude
Add JWT/OIDC authentication support to Hashicorp Vault provider
d6c4273 
This adds JWT/OIDC authentication method support to the Hashicorp Vault
provider, enabling token-less authentication through identity federation.

Key features:
- New 'jwt' auth_type for VaultClient, VaultHook, and VaultBackend
- Support for jwt_token parameter or automatic token retrieval from jwt_path
- Configurable jwt_role for Vault role binding
- Full backwards compatibility with existing auth methods

Use cases enabled:
- Kubernetes workload identity with projected service account tokens
- Cloud provider identity (AWS IAM roles, GCP Workload Identity, Azure AD)
- CI/CD pipelines (GitHub Actions OIDC, GitLab CI)
- External identity providers (Auth0, Okta, Keycloak)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@boring-cyborg
Copy link

boring-cyborg bot commented Feb 4, 2026

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst)
Here are some useful points:

  • Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
  • In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
  • Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
  • Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
  • Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
  • Be sure to read the Airflow Coding style.
  • Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
    Apache Airflow is a community-driven project and together we are making it better 🚀.
    In case of doubts contact the developers at:
    Mailing List: dev@airflow.apache.org
    Slack: https://s.apache.org/airflow-slack

@piotrlinski piotrlinski force-pushed the feature/hashicorp-vault-jwt-auth branch from 67cfccc to e41fbc4 Compare February 4, 2026 12:08
@piotrlinski @claude
Add JWT/OIDC authentication support to Hashicorp Vault provider
8c4b25a 
This adds JWT/OIDC authentication method support to the Hashicorp Vault
provider, enabling token-less authentication through identity federation.

Key features:
- New 'jwt' auth_type for VaultClient, VaultHook, and VaultBackend
- Support for jwt_token parameter or automatic token retrieval from jwt_token_path
- Default jwt_token_path set to /var/run/secrets/kubernetes.io/serviceaccount/token
  (standard Kubernetes service account token path)
- Configurable jwt_role for Vault role binding
- Full backwards compatibility with existing auth methods

Use cases enabled:
- Kubernetes workload identity with projected service account tokens
- Cloud provider identity (AWS IAM roles, GCP Workload Identity, Azure AD)
- CI/CD pipelines (GitHub Actions OIDC, GitLab CI)
- External identity providers (Auth0, Okta, Keycloak)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@piotrlinski piotrlinski force-pushed the feature/hashicorp-vault-jwt-auth branch from e41fbc4 to 8c4b25a Compare February 4, 2026 12:12
@eladkal eladkal requested review from Lee-W and jason810496 February 5, 2026 08:08
Lee-W
Lee-W reviewed Feb 5, 2026
View reviewed changes
@piotrlinski piotrlinski requested a review from Lee-W February 5, 2026 11:30
Lee-W
Lee-W reviewed Feb 5, 2026
View reviewed changes
@piotrlinski piotrlinski requested a review from Lee-W February 5, 2026 14:21
@piotrlinski
Copy link
Contributor Author

piotrlinski commented Feb 5, 2026

there is still one thing I am not sure, I made the default path for the jwt_token_path like for kubernetes (usually it goes with kubernets), however the JWT method does not have to be anyhow related to k8s, therefor not sure if we should keep it as default or remove - you need to pass the jwt_token (string) or jwt_token_path(path to a file with a token)

Lee-W
Lee-W reviewed Feb 6, 2026
View reviewed changes
Copy link
Member

@Lee-W Lee-W left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a few nits, but overall looks good

@Lee-W
Copy link
Member

Lee-W commented Feb 6, 2026

there is still one thing I am not sure, I made the default path for the jwt_token_path like for kubernetes (usually it goes with kubernets), however the JWT method does not have to be anyhow related to k8s, therefor not sure if we should keep it as default or remove - you need to pass the jwt_token (string) or jwt_token_path(path to a file with a token)

Pass it might be better as it doesn't always goes with k8s

piotrlinski and others added 3 commits February 6, 2026 11:15
@piotrlinski
Merge branch 'apache:main' into feature/hashicorp-vault-jwt-auth
e48475f
@piotrlinski
Merge branch 'main' into feature/hashicorp-vault-jwt-auth
d9e2ff8
@piotrlinski @claude
Address PR review: use stricter mock assertions and inline kwargs
41904ee 
Replace assert_called_with with call_args_list assertions in JWT tests
to verify exact number of calls. Inline kwargs dicts directly into
VaultHook() constructor calls where they are only used once.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@piotrlinski piotrlinski requested a review from Lee-W February 6, 2026 12:29
@Lee-W
Copy link
Member

Lee-W commented Feb 7, 2026

@jason810496 would appreciate a second pair of eyes. Thanks!

jason810496
jason810496 reviewed Feb 7, 2026
View reviewed changes
Copy link
Member

@jason810496 jason810496 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR! LGTM overall.

piotrlinski and others added 4 commits February 7, 2026 15:49
@piotrlinski
Merge branch 'main' into feature/hashicorp-vault-jwt-auth
a74af6a
@piotrlinski
- remove jwt token defaults
5cfcec1 
- fix documentaion
- minor fiex
@piotrlinski @claude
Remove DEFAULT_JWT_TOKEN_PATH constant and K8s fallback from JWT auth
0b7ca44 
JWT is a general-purpose Vault auth method, not tied to Kubernetes.
Remove the DEFAULT_JWT_TOKEN_PATH constant (which pointed to the K8s
service account token path) and its fallback in VaultHook. Users must
now explicitly provide either jwt_token or jwt_token_path when using
JWT auth, otherwise _VaultClient raises a clear validation error.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@piotrlinski
Merge branch 'main' into feature/hashicorp-vault-jwt-auth
bdf6654
@jason810496 jason810496 merged commit 43b5193 into apache:main Feb 9, 2026
86 checks passed
@boring-cyborg
Copy link

boring-cyborg bot commented Feb 9, 2026

Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions.

@shahar1 shahar1 mentioned this pull request Feb 11, 2026
Open
81 tasks
Ratasa143 pushed a commit to Ratasa143/airflow that referenced this pull request Feb 15, 2026
@piotrlinski @claude
@Lee-W @Ratasa143
Add JWT/OIDC authentication support to Hashicorp Vault provider (apac…
4b4101d 
…he#61439)

* Add JWT/OIDC authentication support to Hashicorp Vault provider

This adds JWT/OIDC authentication method support to the Hashicorp Vault
provider, enabling token-less authentication through identity federation.

Key features:
- New 'jwt' auth_type for VaultClient, VaultHook, and VaultBackend
- Support for jwt_token parameter or automatic token retrieval from jwt_path
- Configurable jwt_role for Vault role binding
- Full backwards compatibility with existing auth methods

Use cases enabled:
- Kubernetes workload identity with projected service account tokens
- Cloud provider identity (AWS IAM roles, GCP Workload Identity, Azure AD)
- CI/CD pipelines (GitHub Actions OIDC, GitLab CI)
- External identity providers (Auth0, Okta, Keycloak)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Update providers/hashicorp/src/airflow/providers/hashicorp/_internal_client/vault_client.py

Co-authored-by: Wei Lee <weilee.rx@gmail.com>

* Update providers/hashicorp/src/airflow/providers/hashicorp/hooks/vault.py

Co-authored-by: Wei Lee <weilee.rx@gmail.com>

* update the args order for methods

* Update providers/hashicorp/src/airflow/providers/hashicorp/_internal_client/vault_client.py

Co-authored-by: Wei Lee <weilee.rx@gmail.com>

* apply fixes for oorder in new jwt parameter for docsstring

* Address PR review: use stricter mock assertions and inline kwargs

Replace assert_called_with with call_args_list assertions in JWT tests
to verify exact number of calls. Inline kwargs dicts directly into
VaultHook() constructor calls where they are only used once.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* - remove jwt token defaults
- fix documentaion
- minor fiex

* Remove DEFAULT_JWT_TOKEN_PATH constant and K8s fallback from JWT auth

JWT is a general-purpose Vault auth method, not tied to Kubernetes.
Remove the DEFAULT_JWT_TOKEN_PATH constant (which pointed to the K8s
service account token path) and its fallback in VaultHook. Users must
now explicitly provide either jwt_token or jwt_token_path when using
JWT auth, otherwise _VaultClient raises a clear validation error.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Wei Lee <weilee.rx@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Lee-W Lee-W Lee-W approved these changes

@hussein-awala hussein-awala Awaiting requested review from hussein-awala hussein-awala is a code owner

@jason810496 jason810496 Awaiting requested review from jason810496

Assignees

No one assigned

Labels

area:providers area:secrets kind:documentation provider:hashicorp Hashicorp provider related issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@piotrlinski @Lee-W @jason810496