apache-airflow-providers-hashicorp 3.7.0rc1__py3-none-any.whl → 3.7.0rc2__py3-none-any.whl

airflow/providers/hashicorp/__init__.py

@@ -35,8 +35,8 @@ except ImportError:
     from airflow.version import version as airflow_version
 
 if packaging.version.parse(packaging.version.parse(airflow_version).base_version) < packaging.version.parse(
-    "2.6.0"
+    "2.7.0"
 ):
     raise RuntimeError(
-        f"The package `apache-airflow-providers-hashicorp:{__version__}` needs Apache Airflow 2.6.0+"
+        f"The package `apache-airflow-providers-hashicorp:{__version__}` needs Apache Airflow 2.7.0+"
     )

airflow/providers/hashicorp/_internal_client/vault_client.py

@@ -16,6 +16,7 @@
 # under the License.
 from __future__ import annotations
 
+import os
 from functools import cached_property
 
 import hvac
@@ -73,6 +74,9 @@ class _VaultClient(LoggingMixin):
     :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type).
     :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types).
     :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types).
+    :param assume_role_kwargs: AWS assume role param.
+        See AWS STS Docs:
+        https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts/client/assume_role.html
     :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type).
     :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default:
         ``/var/run/secrets/kubernetes.io/serviceaccount/token``).
@@ -102,6 +106,7 @@ class _VaultClient(LoggingMixin):
         password: str | None = None,
         key_id: str | None = None,
         secret_id: str | None = None,
+        assume_role_kwargs: dict | None = None,
         role_id: str | None = None,
         kubernetes_role: str | None = None,
         kubernetes_jwt_path: str | None = "/var/run/secrets/kubernetes.io/serviceaccount/token",
@@ -125,7 +130,7 @@ class _VaultClient(LoggingMixin):
             raise VaultError(
                 f"The auth_type is not supported: {auth_type}. It should be one of {VALID_AUTH_TYPES}"
             )
-        if auth_type == "token" and not token and not token_path:
+        if auth_type == "token" and not token and not token_path and "VAULT_TOKEN" not in os.environ:
             raise VaultError("The 'token' authentication type requires 'token' or 'token_path'")
         if auth_type == "github" and not token and not token_path:
             raise VaultError("The 'github' authentication type requires 'token' or 'token_path'")
@@ -151,7 +156,7 @@ class _VaultClient(LoggingMixin):
         self.url = url
         self.auth_type = auth_type
         self.kwargs = kwargs
-        self.token = token
+        self.token = token or os.getenv("VAULT_TOKEN", None)
         self.token_path = token_path
         self.auth_mount_point = auth_mount_point
         self.mount_point = mount_point
@@ -160,6 +165,7 @@ class _VaultClient(LoggingMixin):
         self.key_id = key_id
         self.secret_id = secret_id
         self.role_id = role_id
+        self.assume_role_kwargs = assume_role_kwargs
         self.kubernetes_role = kubernetes_role
         self.kubernetes_jwt_path = kubernetes_jwt_path
         self.gcp_key_path = gcp_key_path
@@ -317,15 +323,36 @@ class _VaultClient(LoggingMixin):
             )
 
     def _auth_aws_iam(self, _client: hvac.Client) -> None:
-        if self.auth_mount_point:
-            _client.auth.aws.iam_login(
-                access_key=self.key_id,
-                secret_key=self.secret_id,
-                role=self.role_id,
-                mount_point=self.auth_mount_point,
-            )
+        if self.key_id and self.secret_id:
+            auth_args = {
+                "access_key": self.key_id,
+                "secret_key": self.secret_id,
+                "role": self.role_id,
+            }
         else:
-            _client.auth.aws.iam_login(access_key=self.key_id, secret_key=self.secret_id, role=self.role_id)
+            import boto3
+
+            if self.assume_role_kwargs:
+                sts_client = boto3.client("sts")
+                credentials = sts_client.assume_role(**self.assume_role_kwargs)
+                auth_args = {
+                    "access_key": credentials["Credentials"]["AccessKeyId"],
+                    "secret_key": credentials["Credentials"]["SecretAccessKey"],
+                    "session_token": credentials["Credentials"]["SessionToken"],
+                }
+            else:
+                session = boto3.Session()
+                credentials = session.get_credentials()
+                auth_args = {
+                    "access_key": credentials.access_key,
+                    "secret_key": credentials.secret_key,
+                    "session_token": credentials.token,
+                }
+
+        if self.auth_mount_point:
+            auth_args["mount_point"] = self.auth_mount_point
+
+        _client.auth.aws.iam_login(**auth_args)
 
     def _auth_approle(self, _client: hvac.Client) -> None:
         if self.auth_mount_point:
@@ -387,7 +414,7 @@ class _VaultClient(LoggingMixin):
 
     def get_secret_metadata(self, secret_path: str) -> dict | None:
         """
-        Reads secret metadata (including versions) from the engine. It is only valid for KV version 2.
+        Read secret metadata (including versions) from the engine. It is only valid for KV version 2.
 
         :param secret_path: The path of the secret.
         :return: secret metadata. This is a Dict containing metadata for the secret.
@@ -409,7 +436,7 @@ class _VaultClient(LoggingMixin):
         self, secret_path: str, secret_version: int | None = None
     ) -> dict | None:
         """
-        Reads secret including metadata. It is only valid for KV version 2.
+        Read secret including metadata. It is only valid for KV version 2.
 
         See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.
 
@@ -443,7 +470,7 @@ class _VaultClient(LoggingMixin):
         self, secret_path: str, secret: dict, method: str | None = None, cas: int | None = None
     ) -> Response:
         """
-        Creates or updates secret.
+        Create or updates secret.
 
         :param secret_path: The path of the secret.
         :param secret: Secret to create or update for the path specified
@@ -467,10 +494,10 @@ class _VaultClient(LoggingMixin):
         mount_point, secret_path = self._parse_secret_path(secret_path)
         if self.kv_engine_version == 1:
             response = self.client.secrets.kv.v1.create_or_update_secret(
-                secret_path=secret_path, secret=secret, mount_point=mount_point, method=method
+                path=secret_path, secret=secret, mount_point=mount_point, method=method
             )
         else:
             response = self.client.secrets.kv.v2.create_or_update_secret(
-                secret_path=secret_path, secret=secret, mount_point=mount_point, cas=cas
+                path=secret_path, secret=secret, mount_point=mount_point, cas=cas
             )
         return response

airflow/providers/hashicorp/get_provider_info.py

@@ -28,9 +28,12 @@ def get_provider_info():
         "name": "Hashicorp",
         "description": "Hashicorp including `Hashicorp Vault <https://www.vaultproject.io/>`__\n",
         "state": "ready",
-        "source-date-epoch": 1705912121,
+        "source-date-epoch": 1714476565,
         "versions": [
             "3.7.0",
+            "3.6.4",
+            "3.6.3",
+            "3.6.2",
             "3.6.1",
             "3.6.0",
             "3.5.0",
@@ -55,7 +58,7 @@ def get_provider_info():
             "1.0.1",
             "1.0.0",
         ],
-        "dependencies": ["apache-airflow>=2.6.0", "hvac>=1.1.0"],
+        "dependencies": ["apache-airflow>=2.7.0", "hvac>=1.1.0"],
         "integrations": [
             {
                 "integration-name": "Hashicorp Vault",
@@ -77,4 +80,5 @@ def get_provider_info():
             }
         ],
         "secrets-backends": ["airflow.providers.hashicorp.secrets.vault.VaultBackend"],
+        "additional-extras": [{"name": "boto3", "dependencies": ["boto3>=1.33.0"]}],
     }

airflow/providers/hashicorp/hooks/vault.py

@@ -15,6 +15,7 @@
 # specific language governing permissions and limitations
 # under the License.
 """Hook for HashiCorp Vault."""
+
 from __future__ import annotations
 
 import json
@@ -125,7 +126,7 @@ class VaultHook(BaseHook):
         radius_port: int | None = None,
         **kwargs,
     ):
-        super().__init__(logger_name=kwargs.pop("logger_name", None))
+        super().__init__()
         self.connection = self.get_connection(vault_conn_id)
 
         if not auth_type:
@@ -290,7 +291,7 @@ class VaultHook(BaseHook):
 
     def get_conn(self) -> hvac.Client:
         """
-        Retrieves connection to Vault.
+        Retrieve connection to Vault.
 
         :return: connection used.
         """
@@ -313,7 +314,7 @@ class VaultHook(BaseHook):
 
     def get_secret_metadata(self, secret_path: str) -> dict | None:
         """
-        Reads secret metadata (including versions) from the engine. It is only valid for KV version 2.
+        Read secret metadata (including versions) from the engine. It is only valid for KV version 2.
 
         :param secret_path: Path to read from
         :return: secret metadata. This is a Dict containing metadata for the secret.
@@ -327,7 +328,7 @@ class VaultHook(BaseHook):
         self, secret_path: str, secret_version: int | None = None
     ) -> dict | None:
         """
-        Reads secret including metadata. It is only valid for KV version 2.
+        Read secret including metadata. It is only valid for KV version 2.
 
         See https://hvac.readthedocs.io/en/stable/usage/secrets_engines/kv_v2.html for details.
 
@@ -345,7 +346,7 @@ class VaultHook(BaseHook):
         self, secret_path: str, secret: dict, method: str | None = None, cas: int | None = None
     ) -> Response:
         """
-        Creates or updates secret.
+        Create or updates secret.
 
         :param secret_path: Path to read from
         :param secret: Secret to create or update for the path specified
@@ -368,7 +369,7 @@ class VaultHook(BaseHook):
 
     @classmethod
     def get_connection_form_widgets(cls) -> dict[str, Any]:
-        """Returns connection widgets to add to connection form."""
+        """Return connection widgets to add to connection form."""
         from flask_appbuilder.fieldwidgets import BS3TextFieldWidget
         from flask_babel import lazy_gettext
         from wtforms import BooleanField, IntegerField, StringField
@@ -405,7 +406,7 @@ class VaultHook(BaseHook):
 
     @classmethod
     def get_ui_field_behaviour(cls) -> dict[str, Any]:
-        """Returns custom field behaviour."""
+        """Return custom field behaviour."""
         return {
             "hidden_fields": ["extra"],
             "relabeling": {},

airflow/providers/hashicorp/secrets/vault.py

@@ -16,11 +16,13 @@
 # specific language governing permissions and limitations
 # under the License.
 """Objects relating to sourcing connections & variables from Hashicorp Vault."""
+
 from __future__ import annotations
 
-import warnings
 from typing import TYPE_CHECKING
 
+from deprecated import deprecated
+
 from airflow.exceptions import AirflowProviderDeprecationWarning
 from airflow.providers.hashicorp._internal_client.vault_client import _VaultClient
 from airflow.secrets import BaseSecretsBackend
@@ -72,6 +74,9 @@ class VaultBackend(BaseSecretsBackend, LoggingMixin):
     :param key_id: Key ID for Authentication (for ``aws_iam`` and ''azure`` auth_type).
     :param secret_id: Secret ID for Authentication (for ``approle``, ``aws_iam`` and ``azure`` auth_types).
     :param role_id: Role ID for Authentication (for ``approle``, ``aws_iam`` auth_types).
+    :param assume_role_kwargs: AWS assume role param.
+        See AWS STS Docs:
+        https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts/client/assume_role.html
     :param kubernetes_role: Role for Authentication (for ``kubernetes`` auth_type).
     :param kubernetes_jwt_path: Path for kubernetes jwt token (for ``kubernetes`` auth_type, default:
         ``/var/run/secrets/kubernetes.io/serviceaccount/token``).
@@ -105,6 +110,7 @@ class VaultBackend(BaseSecretsBackend, LoggingMixin):
         key_id: str | None = None,
         secret_id: str | None = None,
         role_id: str | None = None,
+        assume_role_kwargs: dict | None = None,
         kubernetes_role: str | None = None,
         kubernetes_jwt_path: str = "/var/run/secrets/kubernetes.io/serviceaccount/token",
         gcp_key_path: str | None = None,
@@ -145,6 +151,7 @@ class VaultBackend(BaseSecretsBackend, LoggingMixin):
             key_id=key_id,
             secret_id=secret_id,
             role_id=role_id,
+            assume_role_kwargs=assume_role_kwargs,
             kubernetes_role=kubernetes_role,
             kubernetes_jwt_path=kubernetes_jwt_path,
             gcp_key_path=gcp_key_path,
@@ -184,6 +191,10 @@ class VaultBackend(BaseSecretsBackend, LoggingMixin):
             secret_path=(mount_point + "/" if mount_point else "") + secret_path
         )
 
+    @deprecated(
+        reason="Method `VaultBackend.get_conn_uri` is deprecated and will be removed in a future release.",
+        category=AirflowProviderDeprecationWarning,
+    )
     def get_conn_uri(self, conn_id: str) -> str | None:
         """
         Get serialized representation of connection.
@@ -193,12 +204,6 @@ class VaultBackend(BaseSecretsBackend, LoggingMixin):
         """
         # Since VaultBackend implements `get_connection`, `get_conn_uri` is not used. So we
         # don't need to implement (or direct users to use) method `get_conn_value` instead
-        warnings.warn(
-            f"Method `{self.__class__.__name__}.get_conn_uri` is deprecated and will be removed "
-            "in a future release.",
-            AirflowProviderDeprecationWarning,
-            stacklevel=2,
-        )
         response = self.get_response(conn_id)
         return response.get("conn_uri") if response else None
 

{apache_airflow_providers_hashicorp-3.7.0rc1.dist-info → apache_airflow_providers_hashicorp-3.7.0rc2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: apache-airflow-providers-hashicorp
-Version: 3.7.0rc1
+Version: 3.7.0rc2
 Summary: Provider package apache-airflow-providers-hashicorp for Apache Airflow
 Keywords: airflow-provider,hashicorp,airflow,integration
 Author-email: Apache Software Foundation <dev@airflow.apache.org>
@@ -19,9 +19,11 @@ Classifier: Programming Language :: Python :: 3.8
 Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
 Classifier: Topic :: System :: Monitoring
-Requires-Dist: apache-airflow>=2.6.0.dev0
+Requires-Dist: apache-airflow>=2.7.0rc0
 Requires-Dist: hvac>=1.1.0
+Requires-Dist: boto3>=1.33.0 ; extra == "boto3"
 Requires-Dist: apache-airflow-providers-google ; extra == "google"
 Project-URL: Bug Tracker, https://github.com/apache/airflow/issues
 Project-URL: Changelog, https://airflow.apache.org/docs/apache-airflow-providers-hashicorp/3.7.0/changelog.html
@@ -30,6 +32,7 @@ Project-URL: Slack Chat, https://s.apache.org/airflow-slack
 Project-URL: Source Code, https://github.com/apache/airflow
 Project-URL: Twitter, https://twitter.com/ApacheAirflow
 Project-URL: YouTube, https://www.youtube.com/channel/UCSXwxpWZQ7XZ1WL3wqevChA/
+Provides-Extra: boto3
 Provides-Extra: google
 
 
@@ -76,7 +79,7 @@ Provides-Extra: google
 
 Package ``apache-airflow-providers-hashicorp``
 
-Release: ``3.7.0.rc1``
+Release: ``3.7.0.rc2``
 
 
 Hashicorp including `Hashicorp Vault <https://www.vaultproject.io/>`__
@@ -98,7 +101,7 @@ You can install this package on top of an existing Airflow 2 installation (see `
 for the minimum Airflow version supported) via
 ``pip install apache-airflow-providers-hashicorp``
 
-The package supports the following python versions: 3.8,3.9,3.10,3.11
+The package supports the following python versions: 3.8,3.9,3.10,3.11,3.12
 
 Requirements
 ------------
@@ -106,7 +109,7 @@ Requirements
 ==================  ==================
 PIP package         Version required
 ==================  ==================
-``apache-airflow``  ``>=2.6.0``
+``apache-airflow``  ``>=2.7.0``
 ``hvac``            ``>=1.1.0``
 ==================  ==================
 

apache_airflow_providers_hashicorp-3.7.0rc2.dist-info/RECORD

@@ -0,0 +1,13 @@
+airflow/providers/hashicorp/LICENSE,sha256=ywUBpKZc7Jb96rVt5I3IDbg7dIJAbUSHkuoDcF3jbH4,13569
+airflow/providers/hashicorp/__init__.py,sha256=7tzswygZ8TCQhYXDblarFr8anGBhJOxGq5NpnXCxHWA,1584
+airflow/providers/hashicorp/get_provider_info.py,sha256=cc57L-afbIWFV3nw_G1i-5XMo-lklVjplGR4Btm-xMA,2887
+airflow/providers/hashicorp/_internal_client/__init__.py,sha256=9hdXHABrVpkbpjZgUft39kOFL2xSGeG4GEua0Hmelus,785
+airflow/providers/hashicorp/_internal_client/vault_client.py,sha256=-56JrdsuVmGRadQ2a4EudeIViFNbFfZtMSGC-Tn4IQA,22534
+airflow/providers/hashicorp/hooks/__init__.py,sha256=9hdXHABrVpkbpjZgUft39kOFL2xSGeG4GEua0Hmelus,785
+airflow/providers/hashicorp/hooks/vault.py,sha256=FWz-aA2otpMox1jdoXCapY6yWqV-vYmC3ycnW5YYRwA,18790
+airflow/providers/hashicorp/secrets/__init__.py,sha256=9hdXHABrVpkbpjZgUft39kOFL2xSGeG4GEua0Hmelus,785
+airflow/providers/hashicorp/secrets/vault.py,sha256=_jxZqLbHnqp047Rza5e5HA5cm7ZR2TRg7O1GKGWFpuA,12245
+apache_airflow_providers_hashicorp-3.7.0rc2.dist-info/entry_points.txt,sha256=M338G3KvFSRu5IqEFm5Qheg_myVuQbsN_2EbAwcgqk4,105
+apache_airflow_providers_hashicorp-3.7.0rc2.dist-info/WHEEL,sha256=EZbGkh7Ie4PoZfRQ8I0ZuP9VklN_TvcZ6DSE5Uar4z4,81
+apache_airflow_providers_hashicorp-3.7.0rc2.dist-info/METADATA,sha256=Ax3cwgZSVRxyPJYLHBwIoYY6iwZbPsiCDx70A9sKEuQ,5941
+apache_airflow_providers_hashicorp-3.7.0rc2.dist-info/RECORD,,

apache_airflow_providers_hashicorp-3.7.0rc1.dist-info/RECORD

@@ -1,13 +0,0 @@
-airflow/providers/hashicorp/LICENSE,sha256=ywUBpKZc7Jb96rVt5I3IDbg7dIJAbUSHkuoDcF3jbH4,13569
-airflow/providers/hashicorp/__init__.py,sha256=1CtuffEMtYeOhmGacOG_85MO775PQm92MAbonrKVScA,1584
-airflow/providers/hashicorp/get_provider_info.py,sha256=wEd4Hu8aa7mO5W9b9UxyldvQuugr4cfTr1bRlzxoxCc,2739
-airflow/providers/hashicorp/_internal_client/__init__.py,sha256=9hdXHABrVpkbpjZgUft39kOFL2xSGeG4GEua0Hmelus,785
-airflow/providers/hashicorp/_internal_client/vault_client.py,sha256=Jbhv3vBsfb9qCK_3oT9WQRzRJq2FIAGYX2a39xie4pk,21372
-airflow/providers/hashicorp/hooks/__init__.py,sha256=9hdXHABrVpkbpjZgUft39kOFL2xSGeG4GEua0Hmelus,785
-airflow/providers/hashicorp/hooks/vault.py,sha256=xLeX8SjvKZ_2DuOj2gr1sEg3jH4Nm4JzOSNL53ln1Es,18838
-airflow/providers/hashicorp/secrets/__init__.py,sha256=9hdXHABrVpkbpjZgUft39kOFL2xSGeG4GEua0Hmelus,785
-airflow/providers/hashicorp/secrets/vault.py,sha256=Z9b-A2gk4bgFijBlYmNWvUcf1RUTXnH7m82x2sORU_Q,11992
-apache_airflow_providers_hashicorp-3.7.0rc1.dist-info/entry_points.txt,sha256=M338G3KvFSRu5IqEFm5Qheg_myVuQbsN_2EbAwcgqk4,105
-apache_airflow_providers_hashicorp-3.7.0rc1.dist-info/WHEEL,sha256=EZbGkh7Ie4PoZfRQ8I0ZuP9VklN_TvcZ6DSE5Uar4z4,81
-apache_airflow_providers_hashicorp-3.7.0rc1.dist-info/METADATA,sha256=oMYJWF5GFr8SHxjf-312nhmyNSNdnuJbBYUB3bBwytQ,5817
-apache_airflow_providers_hashicorp-3.7.0rc1.dist-info/RECORD,,