You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2022/08/25 22:01:50 UTC
[GitHub] [airflow] aspain opened a new issue, #25968: Unable to configure Google Secrets Manager in 2.3.4
aspain opened a new issue, #25968:
URL: https://github.com/apache/airflow/issues/25968
### Apache Airflow version
2.3.4
### What happened
I am attempting to configure a Google Secrets Manager secrets backend using the `gcp_keyfile_dict` param in a `.env` file with the following ENV Vars:
```
AIRFLOW__SECRETS__BACKEND=airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend
AIRFLOW__SECRETS__BACKEND_KWARGS='{"connections_prefix": "airflow-connections", "variables_prefix": "airflow-variables", "gcp_keyfile_dict": <json-keyfile>}'
```
In previous versions including 2.3.3 this worked without issue
After upgrading to Astro Runtime 5.0.8 I get the following error taken from the scheduler container logs. The scheduler, webserver, and triggerer are continually restarting
```
Traceback (most recent call last):
File "/usr/local/bin/airflow", line 5, in <module>
from airflow.__main__ import main
File "/usr/local/lib/python3.9/site-packages/airflow/__init__.py", line 35, in <module>
from airflow import settings
File "/usr/local/lib/python3.9/site-packages/airflow/settings.py", line 35, in <module>
from airflow.configuration import AIRFLOW_HOME, WEBSERVER_CONFIG, conf # NOQA F401
File "/usr/local/lib/python3.9/site-packages/airflow/configuration.py", line 1618, in <module>
secrets_backend_list = initialize_secrets_backends()
File "/usr/local/lib/python3.9/site-packages/airflow/configuration.py", line 1540, in initialize_secrets_backends
custom_secret_backend = get_custom_secret_backend()
File "/usr/local/lib/python3.9/site-packages/airflow/configuration.py", line 1523, in get_custom_secret_backend
return _custom_secrets_backend(secrets_backend_cls, **alternative_secrets_config_dict)
TypeError: unhashable type: 'dict'
```
### What you think should happen instead
Containers should remain healthy and the secrets backend should successfully be added
### How to reproduce
`astro dev init` a fresh project
Dockerfile:
`FROM quay.io/astronomer/astro-runtime:5.0.8`
`.env` file:
```
AIRFLOW__SECRETS__BACKEND=airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend
AIRFLOW__SECRETS__BACKEND_KWARGS='{"connections_prefix": "airflow-connections", "variables_prefix": "airflow-variables", "gcp_keyfile_dict": <service-acct-json-keyfile>}'
```
`astro dev start`
### Operating System
macOS 11.6.8
### Versions of Apache Airflow Providers
[apache-airflow-providers-google](https://airflow.apache.org/docs/apache-airflow-providers-google/8.1.0/) 8.1.0
### Deployment
Astronomer
### Deployment details
_No response_
### Anything else
_No response_
### Are you willing to submit PR?
- [ ] Yes I am willing to submit a PR!
### Code of Conduct
- [X] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #25968: Unable to configure Google Secrets Manager in 2.3.4
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #25968:
URL: https://github.com/apache/airflow/issues/25968#issuecomment-1227839936
yeah. There is no easy workaround I could see for that one. I will raise it to the release mgmt team (we have one more bug that might make us do 2.3.5 before we reelase 2.4.0. In the meantime @pdebelak - looking forward to a fix :D
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] pdebelak commented on issue #25968: Unable to configure Google Secrets Manager in 2.3.4
Posted by GitBox <gi...@apache.org>.
pdebelak commented on issue #25968:
URL: https://github.com/apache/airflow/issues/25968#issuecomment-1227836423
I see a fix for this that I will PR, but I don't see a workaround for version 2.3.4 if you have a `AIRFLOW__SECRETS__BACKEND_KWARGS` containing a nested dictionary.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk closed issue #25968: Unable to configure Google Secrets Manager in 2.3.4
Posted by GitBox <gi...@apache.org>.
potiuk closed issue #25968: Unable to configure Google Secrets Manager in 2.3.4
URL: https://github.com/apache/airflow/issues/25968
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #25968: Unable to configure Google Secrets Manager in 2.3.4
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #25968:
URL: https://github.com/apache/airflow/issues/25968#issuecomment-1227816816
I believe the problem is that dict-indeed is not hashable, and you can pass the dict as parameter of the secret backend configuration.
For now, I don't see an easy workaround other than using `gcp_key_path` and putting the key in the same path in your workers - would that be a feasible workaround for now @aspain ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] pdebelak commented on issue #25968: Unable to configure Google Secrets Manager in 2.3.4
Posted by GitBox <gi...@apache.org>.
pdebelak commented on issue #25968:
URL: https://github.com/apache/airflow/issues/25968#issuecomment-1227823696
Yes, this is related to the new `lru_cache` in 2.3.4, I didn't realize this would break in this way. There isn't an easy workaround. We might need to revert that change in this case and add a test to make sure we don't break it in the same way again.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] aspain commented on issue #25968: Unable to configure Google Secrets Manager in 2.3.4
Posted by GitBox <gi...@apache.org>.
aspain commented on issue #25968:
URL: https://github.com/apache/airflow/issues/25968#issuecomment-1227819818
With an Astronomer project I don't have access to the workers (other than locally) and would have to include the keyfile in my repository the project deploys from, ideally the keyfile would not need to be in the repository
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [airflow] potiuk commented on issue #25968: Unable to configure Google Secrets Manager in 2.3.4
Posted by GitBox <gi...@apache.org>.
potiuk commented on issue #25968:
URL: https://github.com/apache/airflow/issues/25968#issuecomment-1227813238
@pdebelak - I think this is caused by the LRU cache introduced in https://github.com/apache/airflow/pull/25556 - is it possible you take a look and see if it can be fixed/workarounded ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org