Integrating Hashicorp Vault with Airflow without root key

Is there any documentation for integrating Hashicorp Vault with Airflow that doesn’t involve using the root key of the vault cluster? Astronomer’s current guide (this one: https://www.astronomer.io/guides/airflow-and-hashicorp-vault) is written for a dev cluster using the root key, would love it if you all have some documentation that’s oriented toward deploying an integration in a production environment.

Airflow with Vault Approle Authentication

Setting up Vault

Vault guide on how to do the following steps can be found here
Approle: AppRole - Auth Methods | Vault by HashiCorp
Policies: Policies | Vault by HashiCorp

  1. Create a Vault Policies with at least read permissions on your secrets paths.
  2. Enable Approle in Vault if not done already
  3. Create an Approle for your Airflow deployment with the appropriate policy attached.
  4. Be sure to get your role_id and secret_id for your Airflow Approle.

Setting up Airflow

Documentation on Airflow Vault configuration can be found here
Airflow Configuration: Hashicorp Vault Secrets Backend — apache-airflow-providers-hashicorp Documentation
Config Settings: airflow.providers.hashicorp.secrets.vault — apache-airflow-providers-hashicorp Documentation

  1. Place your role_id and secret_id in Environment Variables called
    1. VAULT_ROLE_ID
    2. VAULT_SECRET_ID
  2. Configure Airflow to use Vault with the Approle auth method. This can be done with the docker file as shown below, or by setting the same environment variables in the Astronomer UI.
ENV AIRFLOW__SECRETS__BACKEND="airflow.providers.hashicorp.secrets.vault.VaultBackend"``` 
ENV AIRFLOW__SECRETS__BACKEND_KWARGS='{"connections_path": "airflow/connections", "variables_path": null, "config_path": null, "url": "https://<vault host>:<vault port>", "auth_type": "approle", "role_id":"$VAULT_ROLE_ID", "secret_id":"$VAULT_SECRET_ID"}'