I am creating a Airflow DAG in GCC that needs to read a Secret and no other DAG in that instance should access it besides that particular DAG.
Is that possible? I only see that we could grant permissions for the GCC SA, in this case every DAG in the GCC instance could read the secret.
Is there some alternative for reading secrets with that constraint? Am I reading correctly the situation?
To connect your airflow server (GCC or other services) to Google Secret Manager, you have multiple options:
Variable.get
or <some hook>.get_connection
will check if if the variable or the connection exists in Google Secret Manager, regardless of the DAG who calls these methods.get_secret
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.