Set up HashiCorp Vault as your secrets backend

This page provides steps for using HashiCorp Vault as a secrets backend for both local development and on Astro.

To do this, you will:

• Create an AppRole in Vault which grants Astro minimal required permissions.
• Write a test Airflow variable or connection as a secret to your Vault server.
• Configure your Astro project to pull the secret from Vault.
• Test the backend in a local environment.
• Deploy your changes to Astro.

If you use a different secrets backend tool or want to learn the general approach on how to integrate one, see Configure a Secrets Backend.

Prerequisites

• A Deployment on Astro.
• The Astro CLI.
• A local or hosted Vault server. See Starting the Server or Create a Vault Cluster on HCP.
• An Astro project.
• The Vault CLI.
• Your Vault Server’s URL. If you’re using a local server, this should be http://127.0.0.1:8200/.
• (Remote Execution Only) Helm installed
• (Remote Execution Only) The values.yaml file from the Register Agents modal in your Deployments>Agents page.

If you don’t already have a Vault server deployed but would like to test this feature, Astronomer recommends that you either:

• Sign up for a Vault trial on HashiCorp Cloud Platform (HCP) or
• Deploy a local Vault server. See Starting the server in HashiCorp documentation.

Step 1: Create a policy and AppRole in Vault

To use Vault as a secrets backend, Astronomer recommends configuring a Vault AppRole with a policy that grants only the minimum necessary permissions for Astro. For Remote Execution Deployments, you can use any Vault authentication method you prefer, for example Kubernetes auth if your agents and Vault are running on Kubernetes.

To do this:

1. Run the following command to create a Vault policy that Astro can use to access a Vault server:

   1
   vault auth enable approle
   2
   vault policy write astro_policy - <<EOF
   3
   path "secret/*" {
   4
     capabilities = ["create", "read", "update", "patch", "delete", "list"]
   5
   }
   6
   EOF

2. Run the following command to create a Vault AppRole:

   1
   vault auth enable approle
   2
   vault write auth/approle/role/astro_role \
   3
       role_id=astro_role \
   4
       secret_id_ttl=0 \
   5
       secret_id_num_uses=0 \
   6
       token_num_uses=0 \
   7
       token_ttl=24h \
   8
       token_max_ttl=24h \
   9
       token_policies=astro_policy

3. Run the following command to retrieve the secret-id for your AppRole:

   $
   vault write -f auth/approle/role/<your-approle>/secret-id

   Save this value. You’ll use this later to complete the setup.

Step 2: Create an Airflow variable or connection in Vault

To start, create an Airflow variable or connection in Vault that you want to store as a secret. It can be either a real or test value. You will use this secret to test your backend’s functionality.

You can use an existing mount point or create a new one to store your Airflow connections and variables. For example, to create a new mount point called airflow, run the following Vault CLI command:

$
vault secrets enable -path=airflow -version=2 kv

To store an Airflow variable in Vault as a secret at the path variables, run the following Vault CLI command with your own values:

$
vault kv put -mount=airflow variables/<your-variable-name> value=<your-value>

To store an Airflow connection in Vault as a secret at the path connections, first format the connection as a URI. Then, run the following Vault CLI command with your own values:

$
vault kv put -mount=airflow connections/<your-connection-name> conn_uri=<connection-type>://<connection-login>:<connection-password>@<connection-host>:<connection-port>

To format existing connections in URI format, see Import and export connections.

To confirm that your secret was written to Vault successfully, run:

$
# For variables
$
$ vault kv get -mount=airflow variables/<your-variable-name>
$
$
# For connections
$
$ vault kv get -mount=airflow connections/<your-connection-name>

Step 3: Set up Vault locally

$
apache-airflow-providers-hashicorp

$
AIRFLOW__SECRETS__BACKEND=airflow.providers.hashicorp.secrets.vault.VaultBackend
$
AIRFLOW__SECRETS__BACKEND_KWARGS={"connections_path": "connections", "variables_path": "variables",  "mount_point": "airflow", "url": "http://host.docker.internal:8200", "auth_type": "approle", "role_id":"astro_role", "secret_id":"<your-approle-secret>"}

This tells Airflow to look for variable and connection information at the airflow/variables/* and airflow/connections/* paths in your Vault server. You can now run a Dag locally to check that your variables are accessible using Variable.get("<your-variable-key>").

(Optional) Authenticate to Vault with AWS Assume Role (STS)

If your Astro environment runs in AWS, you can authenticate to Vault using AWS IAM with an STS assume role instead of an AppRole. This lets Vault verify the assumed AWS IAM role rather than requiring you to manage a long-lived AppRole secret. For more details, see Vault authentication with AWS Assume Role STS in the Apache Airflow documentation.

To use this authentication method, set auth_type to aws_iam and provide assume_role_kwargs with the IAM role to assume. For example:

$
AIRFLOW__SECRETS__BACKEND=airflow.providers.hashicorp.secrets.vault.VaultBackend
$
AIRFLOW__SECRETS__BACKEND_KWARGS={"connections_path": "connections", "variables_path": "variables", "mount_point": "airflow", "url": "<your-hashicorpvault-url>", "auth_type": "aws_iam", "assume_role_kwargs": {"RoleArn": "arn:aws:iam::<account-id>:role/<role-name>", "RoleSessionName": "Airflow"}}

For the full list of supported parameters in assume_role_kwargs, see the AWS STS assume_role reference.

Step 4: Deploy configuration

Now, any Airflow variable or connection that you write to your Vault server can be successfully accessed and pulled by any Dag in your Deployment on Astro.