[GitHub] [airflow] dstandish commented on a change in pull request #19859: Add a short chapter focusing on adapting secret format for connections

[GitBox <gi...@apache.org>]

dstandish commented on a change in pull request #19859:
URL: https://github.com/apache/airflow/pull/19859#discussion_r758595096



##########
File path: docs/apache-airflow/security/secrets/secrets-backend/index.rst
##########
@@ -111,3 +111,19 @@ See :ref:`Configuration <secrets_backend_configuration>` for more details, and :
 
     If you are rolling your own secrets backend, you don't strictly need to use airflow's URI format. But
     doing so makes it easier to switch between environment variables, the metastore, and your secrets backend.
+
+Adapt to non-Airflow compatible secret formats for connections
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The default implementation of Secret backend requires to use Airflow-specific format of storing
+secrets for connections. Currently most community provided implementations require the connections to
+be stored as URIs (with the possibility of adding more friendly formats in the future)
+:doc:`apache-airflow-providers:core-extensions/secrets-backends`. However in some cases it might be
+better solution for your organization to keep the credentials (passwords/tokens etc) in other formats -
+for example when you want the same credentials to be used across multiple clients or when you want to
+use built-in mechanism of rotating the credentials that do not work well with the Airflow-specific format.
+Some of the secret backends provided by the community (for example
+:py:class:`~airflow.providers.amazon.aws.secrets.systems_manager.SystemsManagerParameterStoreBackend` have
+mechanism where you can configure the retrieval in a flexible way, but others might not provide that much of
+flexibility. In this case you should simply roll your own secret backend as described in the previous chapter,
+possibly extending existing secret backend and adapt it to the scheme used by your organization.

Review comment:
       ```suggestion
   The default implementation of Secret backend requires use of an Airflow-specific format of storing
   secrets for connections. Currently most community provided implementations require the connections to
   be stored as URIs (with the possibility of adding more friendly formats in the future)
   :doc:`apache-airflow-providers:core-extensions/secrets-backends`. However some organizations may prefer
   to keep the credentials (passwords/tokens etc) in other formats --
   for example when you want the same credentials to be used across multiple clients, or when you want to
   use built-in mechanism of rotating the credentials that do not work well with the Airflow-specific format.
   In this case you will need to roll your own secret backend as described in the previous chapter,
   possibly extending existing secret backend and adapt it to the scheme used by your organization.
   ```
   
   Mainly I have suggested removing the `Some of the secret backends provided by the community...` paragraph because it's a bit unclear and its presence makes it a little ambiguous which case is referred to in `In this case...`




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org