AzureKeyVaultBackend

Microsoft Azure

Retrieves Airflow Connections or Variables from Azure Key Vault secrets.

View on GitHub

Last Updated: Oct. 23, 2022

Access Instructions

Install the Microsoft Azure provider package into your Airflow environment.

Update your environment config per the instructions in the docs below.

Parameters

Documentation

Connections

Parameters

connections_prefixSpecifies the prefix of the secret to read to get Connections If set to None (null), requests for connections will not be sent to Azure Key Vault

variables_prefixSpecifies the prefix of the secret to read to get Variables If set to None (null), requests for variables will not be sent to Azure Key Vault

config_prefixSpecifies the prefix of the secret to read to get Variables. If set to None (null), requests for configurations will not be sent to Azure Key Vault

vault_urlThe URL of an Azure Key Vault to use

sepseparator used to concatenate secret_prefix and secret_id. Default: “-”

Documentation

Retrieves Airflow Connections or Variables from Azure Key Vault secrets.

The Azure Key Vault can be configured as a secrets backend in the airflow.cfg:

[secrets]
backend = airflow.providers.microsoft.azure.secrets.key_vault.AzureKeyVaultBackend
backend_kwargs = {"connections_prefix": "airflow-connections", "vault_url": "<azure_key_vault_uri>"}

For example, if the secrets prefix is airflow-connections-smtp-default, this would be accessible if you provide {"connections_prefix": "airflow-connections"} and request conn_id smtp-default. And if variables prefix is airflow-variables-hello, this would be accessible if you provide {"variables_prefix": "airflow-variables"} and request variable key hello.

For client authentication, the DefaultAzureCredential from the Azure Python SDK is used as credential provider, which supports service principal, managed identity and user credentials

For example, to specify a service principal with secret you can set the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_SECRET.