Expose AWS IAM missing param in Hashicorp secret #38536
Conversation
boring-cyborg
bot
added
area:providers
area:secrets
provider:hashicorp
pankajastro
force-pushed
the
fix_iam_auth
branch
from
c17f00f to
58e7be9
Compare
pankajastro
force-pushed
the
fix_iam_auth
branch
from
58e7be9 to
0232640
Compare
pankajastro
requested review from
pankajkoti,
phanikumv,
Lee-W,
utkarsharma2 and
sunank200
pankajastro
force-pushed
the
fix_iam_auth
branch
2 times, most recently
from
28466a7 to
900e319
Compare
pankajastro
force-pushed
the
fix_iam_auth
branch
from
619c3c9 to
ad1c59d
Compare
docs/apache-airflow-providers-hashicorp/secrets-backends/hashicorp-vault.rst
Outdated
Show resolved
Hide resolved
|
|
||
| if self.role_arn: | ||
| sts_client = boto3.client("sts") | ||
| credentials = sts_client.assume_role(RoleArn=self.role_arn, RoleSessionName="airflow") |
There was a problem hiding this comment.
@pankajastro - we should consider exposing assume_role_kwargs as a backend_kwarg.
This is currently available as an AWS Connection Extra parameter.
There was a problem hiding this comment.
Could you please share an example of AIRFLOW__SECRETS__BACKEND_KWARGS?
There was a problem hiding this comment.
Please see the Request Syntax section for example kwargs.
I imagine it would be a dictionary that you would pass to AIRFLOW__SECRETS__BACKEND_KWARGS, like one does today in the AWS connection.
There was a problem hiding this comment.
wdyt #39279
AIRFLOW__SECRETS__BACKEND_KWARGS='{"kv_engine_version": 1, "mount_point": "kv", "variables_path": "airflow", "url": "http://127.0.0.0:8200/", "auth_type": "aws_iam", "assume_role_kwargs": {"RoleArn": "arn:aws:iam::1234567890000:role/hashicorp-aws-iam", "RoleSessionName": "airflow", "DurationSeconds": 900}}'
There was a problem hiding this comment.
Yes that looks good (assuming that it works). You wouldn't need a role_arn arg in this case.
There was a problem hiding this comment.
It's included in the assume_role_kwargs parameter. I've shared an example for reference ^^
There was a problem hiding this comment.
Agreed. I am saying you no longer need a dedicated role_arn backend kwarg. It would be a part of assume_role_kwargs.
Expose
arn_roleparam inVaultBackendand addboto3as an additional dependency. This will help authenticate with temporary credentials.Example config
Exposeaws_conn_idparam inVaultBackendand addapache-airflow-providers-amazonas dependencyThis PR expose below missing param in hashicorp secret for aws auth- session_token- header_value- use_token- regionhttps://github.com/hvac/hvac/blob/48027db42c037fe8f6b1c6fd8f6dbf80c1ea8595/hvac/api/auth_methods/aws.py#L734-L743
^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named
{pr_number}.significant.rstor{issue_number}.significant.rst, in newsfragments.