Is there any documentation for integrating Hashicorp Vault with Airflow that doesn’t involve using the root key of the vault cluster? Astronomer’s current guide (this one: https://www.astronomer.io/guides/airflow-and-hashicorp-vault) is written for a dev cluster using the root key, would love it if you all have some documentation that’s oriented toward deploying an integration in a production environment.
Airflow with Vault Approle Authentication
Setting up Vault
Vault guide on how to do the following steps can be found here
Approle: AppRole - Auth Methods | Vault by HashiCorp
Policies: Policies | Vault by HashiCorp
- Create a Vault Policies with at least
read
permissions on your secrets paths. - Enable Approle in Vault if not done already
- Create an Approle for your Airflow deployment with the appropriate policy attached.
- Be sure to get your
role_id
andsecret_id
for your Airflow Approle.
Setting up Airflow
Documentation on Airflow Vault configuration can be found here
Airflow Configuration: Hashicorp Vault Secrets Backend — apache-airflow-providers-hashicorp Documentation
Config Settings: airflow.providers.hashicorp.secrets.vault — apache-airflow-providers-hashicorp Documentation
- Place your
role_id
andsecret_id
in Environment Variables calledVAULT_ROLE_ID
VAULT_SECRET_ID
- Configure Airflow to use Vault with the Approle auth method. This can be done with the docker file as shown below, or by setting the same environment variables in the Astronomer UI.
ENV AIRFLOW__SECRETS__BACKEND="airflow.providers.hashicorp.secrets.vault.VaultBackend"```
ENV AIRFLOW__SECRETS__BACKEND_KWARGS='{"connections_path": "airflow/connections", "variables_path": null, "config_path": null, "url": "https://<vault host>:<vault port>", "auth_type": "approle", "role_id":"$VAULT_ROLE_ID", "secret_id":"$VAULT_SECRET_ID"}'