Skip to main content

Airflow secrets backend

Description

Instead of manually filling in the Airflow connections and variables for every environment, using the Airflow UI in Conveyor, you can now also load them automatically from an external backend (e.g. AWS secrects manager or Azure Keyvault) . This makes it possible to specify them ones and automatically get the configuration in your environment. We integrate with the secret backend functionality for Airflow, as described here. In this how-to we will go over the different steps required to set this up using Conveyor.

Creating a secret

To start with, you will need to create the connection and/or variable secret in AWS or Azure.

For AWS we support configuring the secret in AWS secrets manager. In the UI you can configure it as follows: From the secrets manager page click on store a new secret. There select other type of secret and specify the secret content in json format.

More information on the structure of the json content can be found on the Airflow documentation As an example look at the following screenshot:

Click next next and specify a name for the secret, which we will use in a later step. Finally click on store to persist the secret in AWS secrets manager.

Creating an IAM identity

In order for Airflow to be able to read the secret values, you will need to attach an IAM identity.

For AWS you will need to create an AWS role which has permissions to read as well as describe the secrets in secretsmanager. The following actions are required for the integration to work: secretsmanager:GetSecretValue and secretsmanager:DescribeSecret. One way of creating the respective role is to use terraform, which will look similar to:


# create a IAM role that can be assumed by a given Airflow environment
resource "aws_iam_role" "airflow_secrets_backend_role" {
    name               = "airflow-secrets-backend-role"
    assume_role_policy = data.aws_iam_policy_document.airflow_secret_assume_policy.json
}
data "aws_iam_policy_document" "airflow_secret_assume_policy" {
    statement {
        actions = ["sts:AssumeRoleWithWebIdentity"]
        effect  = "Allow"

        condition {
            test     = "StringLike"
            variable = "${var.oidc_url}:sub"
            values   = ["system:serviceaccount:<conveyor-environment>:airflow-<conveyor-environment>"]
        }

        principals {
            identifiers = ["arn:aws:iam::${var.aws_account_id}:oidc-provider/${var.oidc_url}"]
            type        = "Federated"
        }
    }
}

# Allow the IAM role to access certain secrets in AWS secrets manager
resource "aws_iam_role_policy" "airflow_secret_access" {
    name   = "airflow-secret-access"
    role   = aws_iam_role.airflow_secrets_backend_role.id
    policy = data.aws_iam_policy_document.airflow_secret_access.json
}

data "aws_iam_policy_document" "airflow_secret_access" {
    statement {
        actions = [
            "secretsmanager:GetSecretValue",
            "secretsmanager:DescribeSecret",
        ]
        resources = [
            "arn:*:secretsmanager:*:*:secret:<your-secret-name>-??????",
        ]
        effect = "Allow"
    }
}

The your-secret-name in resources section should be changed to reflect the secret name that you have created in the first step of this how-to guide.

The oidc_url of the eks cluster can be using the conveyor_cluster datasource, when using terraform, or by using the conveyor CLI and running: conveyor cluster list

The arn of a secret in secretmanager is the name of your secret with a random 6 character suffix, which is why the -?????? is added at the end.

Configuring the environment

The secret backend can be configured on an environment in three ways, namely:

CLI

The configuration settings can also be updated through the cli, through the use of the conveyor env update command.

Apart from the variable and connection configuration options, you must also specify the iam identity for the environment. In AWS this is the IAM role name and in Azure this is the application client id. The application client id can be found on the page of the app registration in the Azure portal.

For more details take a look at the cli docs

Terraform

The configuration settings can also be specified in the environment resource in Terraform.

Apart from the variable and connection configuration options, you must also specify the iam identity for the environment. In AWS this is the role name and in Azure this is the application client id, which can be found on the page of the app registration in the Azure portal.

For more details take a look at the terraform docs

Conveyor UI

In the Conveyor UI, you can configure a secrets backend using the settings tab of the respective environment. In the form section secrets-backend you can specify the necessary configuration. This form looks as follows:

Frequently asked questions

If I update a secret in AWS secrets manager or Azure keyvault, will it automatically be updated in the environment?

Yes, it will be updated after 5 minutes. We poll for changes every 5 minutes and update the environment accordingly.

I do not see my new variables/connections after updating an existing secret in AWS secrets manager or Azure keyvault in the Airflow UI, what is going on?

Syncing the secrets with the Airflow UI is only done when the Airflow web container is started, this is not done periodically. Note: the values are updated though and you can use them in your tasks (see previous question), you just don't' see them in the Airflow UI yet.