-
Notifications
You must be signed in to change notification settings - Fork 14.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adds GCP Secret Manager Hook (#9368)
* Adds GCP Secret Manager Hook
- Loading branch information
Showing
17 changed files
with
597 additions
and
81 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
airflow/providers/google/cloud/_internal_client/__init__.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Licensed to the Apache Software Foundation (ASF) under one | ||
# or more contributor license agreements. See the NOTICE file | ||
# distributed with this work for additional information | ||
# regarding copyright ownership. The ASF licenses this file | ||
# to you under the Apache License, Version 2.0 (the | ||
# "License"); you may not use this file except in compliance | ||
# with the License. You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, | ||
# software distributed under the License is distributed on an | ||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
# KIND, either express or implied. See the License for the | ||
# specific language governing permissions and limitations | ||
# under the License. |
95 changes: 95 additions & 0 deletions
95
airflow/providers/google/cloud/_internal_client/secret_manager_client.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
# Licensed to the Apache Software Foundation (ASF) under one | ||
# or more contributor license agreements. See the NOTICE file | ||
# distributed with this work for additional information | ||
# regarding copyright ownership. The ASF licenses this file | ||
# to you under the Apache License, Version 2.0 (the | ||
# "License"); you may not use this file except in compliance | ||
# with the License. You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, | ||
# software distributed under the License is distributed on an | ||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
# KIND, either express or implied. See the License for the | ||
# specific language governing permissions and limitations | ||
# under the License. | ||
|
||
import re | ||
from typing import Optional | ||
|
||
import google | ||
from cached_property import cached_property | ||
from google.api_core.exceptions import NotFound | ||
from google.api_core.gapic_v1.client_info import ClientInfo | ||
from google.cloud.secretmanager_v1 import SecretManagerServiceClient | ||
|
||
from airflow.utils.log.logging_mixin import LoggingMixin | ||
from airflow.version import version | ||
|
||
SECRET_ID_PATTERN = r"^[a-zA-Z0-9-_]*$" | ||
|
||
|
||
class _SecretManagerClient(LoggingMixin): | ||
|
||
""" | ||
Retrieves Secrets object from GCP Secrets Manager. This is a common class reused between SecretsManager | ||
and Secrets Hook that provides the shared authentication and verification mechanisms. This class should | ||
not be used directly, use SecretsManager or SecretsHook instead | ||
:param credentials: Credentials used to authenticate to GCP | ||
:type credentials: google.auth.credentials.Credentials | ||
""" | ||
def __init__( | ||
self, | ||
credentials: google.auth.credentials.Credentials, | ||
): | ||
super().__init__() | ||
self.credentials = credentials | ||
|
||
@staticmethod | ||
def is_valid_secret_name(secret_name: str) -> bool: | ||
""" | ||
Returns true if the secret name is valid. | ||
:param secret_name: name of the secret | ||
:type secret_name: str | ||
:return: | ||
""" | ||
return bool(re.match(SECRET_ID_PATTERN, secret_name)) | ||
|
||
@cached_property | ||
def client(self) -> SecretManagerServiceClient: | ||
""" | ||
Create an authenticated KMS client | ||
""" | ||
_client = SecretManagerServiceClient( | ||
credentials=self.credentials, | ||
client_info=ClientInfo(client_library_version='airflow_v' + version) | ||
) | ||
return _client | ||
|
||
def get_secret(self, | ||
secret_id: str, | ||
project_id: str, | ||
secret_version: str = 'latest') -> Optional[str]: | ||
""" | ||
Get secret value from the Secret Manager. | ||
:param secret_id: Secret Key | ||
:type secret_id: str | ||
:param project_id: Project id to use | ||
:type project_id: str | ||
:param secret_version: version of the secret (default is 'latest') | ||
:type secret_version: str | ||
""" | ||
name = self.client.secret_version_path(project_id, secret_id, secret_version) | ||
try: | ||
response = self.client.access_secret_version(name) | ||
value = response.payload.data.decode('UTF-8') | ||
return value | ||
except NotFound: | ||
self.log.error( | ||
"GCP API Call Error (NotFound): Secret ID %s not found.", secret_id | ||
) | ||
return None |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
# | ||
# Licensed to the Apache Software Foundation (ASF) under one | ||
# or more contributor license agreements. See the NOTICE file | ||
# distributed with this work for additional information | ||
# regarding copyright ownership. The ASF licenses this file | ||
# to you under the Apache License, Version 2.0 (the | ||
# "License"); you may not use this file except in compliance | ||
# with the License. You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, | ||
# software distributed under the License is distributed on an | ||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
# KIND, either express or implied. See the License for the | ||
# specific language governing permissions and limitations | ||
# under the License. | ||
"""Hook for Secrets Manager service""" | ||
from typing import Optional | ||
|
||
from airflow.providers.google.cloud._internal_client.secret_manager_client import _SecretManagerClient # noqa | ||
from airflow.providers.google.common.hooks.base_google import GoogleBaseHook | ||
|
||
|
||
# noinspection PyAbstractClass | ||
class SecretsManagerHook(GoogleBaseHook): | ||
""" | ||
Hook for the Google Secret Manager API. | ||
See https://cloud.google.com/secret-manager | ||
All the methods in the hook where project_id is used must be called with | ||
keyword arguments rather than positional. | ||
:param gcp_conn_id: The connection ID to use when fetching connection info. | ||
:type gcp_conn_id: str | ||
:param delegate_to: The account to impersonate, if any. | ||
For this to work, the service account making the request must have | ||
domain-wide delegation enabled. | ||
:type delegate_to: str | ||
""" | ||
def __init__( | ||
self, | ||
gcp_conn_id: str = "google_cloud_default", | ||
delegate_to: Optional[str] = None | ||
) -> None: | ||
super().__init__(gcp_conn_id, delegate_to) | ||
self.client = _SecretManagerClient(credentials=self._get_credentials()) | ||
|
||
def get_conn(self) -> _SecretManagerClient: | ||
""" | ||
Retrieves the connection to Secret Manager. | ||
:return: Secret Manager client. | ||
:rtype: airflow.providers.google.cloud._internal_client.secret_manager_client._SecretManagerClient | ||
""" | ||
return self.client | ||
|
||
@GoogleBaseHook.fallback_to_default_project_id | ||
def get_secret(self, secret_id: str, | ||
secret_version: str = 'latest', | ||
project_id: Optional[str] = None) -> Optional[str]: | ||
""" | ||
Get secret value from the Secret Manager. | ||
:param secret_id: Secret Key | ||
:type secret_id: str | ||
:param secret_version: version of the secret (default is 'latest') | ||
:type secret_version: str | ||
:param project_id: Project id (if you want to override the project_id from credentials) | ||
:type project_id: str | ||
""" | ||
return self.get_conn().get_secret(secret_id=secret_id, secret_version=secret_version, | ||
project_id=project_id) # type: ignore |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.