Hello,
I’m trying to find a way to retrieve azure keyvault secrets on my Astronomer airflow instance.
I tried to follow a similar approach from your documentation on Hashicorp Vault & AWS SSM Parameter Store: https://www.astronomer.io/docs/cloud/stable/customize-airflow/secrets-backend
and this documentation from Airflow: Azure Key Vault Backend — apache-airflow-providers-microsoft-azure Documentation.
I’m using the “Service Principal with Secret” credentials to authenticate with DefaultAzureCredential()
method. Documentation found here: Azure Identity client library for Python — Azure SDK for Python 2.0.0 documentation
So far it’s not working yet (for context, I’m testing this locally).
Here’s what I have in my docker file (please note that I have the AZURE_CLIENT_ID
, AZURE_TENANT_ID
, AZURE_CLIENT_SECRET
& AZURE_VAULT_URL
saved in my .env file):
FROM quay.io/astronomer/ap-airflow:2.0.0-buster-onbuild
ENV AZURE_CLIENT_ID=$AZURE_CLIENT_ID
ENV AZURE_TENANT_ID=$AZURE_TENANT_ID
ENV AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET
ENV AZURE_VAULT_URL=$AZURE_VAULT_URL
ENV AIRFLOW__SECRETS__BACKEND="airflow.providers.microsoft.azure.secrets.azure_key_vault.AzureKeyVaultBackend"
ENV AIRFLOW__SECRETS__BACKEND_KWARGS='{"connections_prefix": "AIRFLOW-CONNECTIONS", "variables_prefix": "AIRFLOW-VARIABLES", "vault_url": $AZURE_VAULT_URL, "AZURE_CLIENT_ID": $AZURE_CLIENT_ID, "AZURE_TENANT_ID":$AZURE_TENANT_ID, "AZURE_CLIENT_SECRET":$AZURE_CLIENT_SECRET}'
Here’s what I have in my dag file:
from airflow.operators.python_operator import PythonOperator
from datetime import datetime
from airflow.hooks.base_hook import BaseHook
from airflow.contrib.secrets.azure_key_vault import AzureKeyVaultBackend
def get_secrets(**kwargs):
variable = AzureKeyVaultBackend.get_variable(kwargs["var_name"])
print(variable)
with DAG('test_keyvault_dag', start_date=datetime(2021, 3, 3), schedule_interval=None) as dag:
test_task = PythonOperator(
task_id='test-task',
python_callable=get_secrets,
op_kwargs={'var_name': 'TEST'}
)
I’d love to get some feedback on how I can make this work. Thanks in advance