Google Cloud Secret accessed by just one DAG
Question
I am creating a Airflow DAG in GCC that needs to read a Secret and no other DAG in that instance should access it besides that particular DAG.
Is that possible? I only see that we could grant permissions for the GCC SA, in this case every DAG in the GCC instance could read the secret.
Is there some alternative for reading secrets with that constraint? Am I reading correctly the situation?
1 answers
solution1
1 2022-08-18 19:18:18
To connect your airflow server (GCC or other services) to Google Secret Manager, you have multiple options:
- use Google Secret Manager as a secret backend for airflow: in this case, each
Variable.getor<some hook>.get_connectionwill check if if the variable or the connection exists in Google Secret Manager, regardless of the DAG who calls these methods. - use SecretsManagerHook : you need to create an airflow connection to store the service account credentials, then you can use the hook wherever you want, so you will have the ability to decide where you want to use the secret manager and where you don't want to use it, and to read the secrets you can use the method
get_secret
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.