Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 30FB8200D15 for ; Thu, 21 Sep 2017 00:47:33 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 2F4A81609E3; Wed, 20 Sep 2017 22:47:33 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 4B2BB1609E2 for ; Thu, 21 Sep 2017 00:47:32 +0200 (CEST) Received: (qmail 15850 invoked by uid 500); 20 Sep 2017 22:47:31 -0000 Mailing-List: contact dev-help@airflow.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@airflow.incubator.apache.org Delivered-To: mailing list dev@airflow.incubator.apache.org Received: (qmail 15838 invoked by uid 99); 20 Sep 2017 22:47:31 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Sep 2017 22:47:31 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 8EF2718512A for ; Wed, 20 Sep 2017 22:47:30 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.879 X-Spam-Level: * X-Spam-Status: No, score=1.879 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=modernizingmedicine.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id lbfirqqfRMQ1 for ; Wed, 20 Sep 2017 22:47:28 +0000 (UTC) Received: from mail-vk0-f45.google.com (mail-vk0-f45.google.com [209.85.213.45]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 9FA605FBDF for ; Wed, 20 Sep 2017 22:47:28 +0000 (UTC) Received: by mail-vk0-f45.google.com with SMTP id z187so2228227vkd.13 for ; Wed, 20 Sep 2017 15:47:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=modernizingmedicine.com; s=modernizingmedicine; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=MnIB6yzdE+GvfJhF0JLRGPM4A2Tk+gfANAmUAfaBjxU=; b=dXbQW5CXhuhJvBeEtE2gmK5mhQiPXkMQbkEd3QjjlZZrRcf9jNEXFjMmnKNpkGTuRC BUr2acwWuYhMQMKqSs4Dps4+eFa56o+GpqxgDYpkuqApLFxSf86PNUV7TwhtG1FL4o5t TU+7TEmwdPfj5oAhGpsUI1aNiI79mjOI13i/4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=MnIB6yzdE+GvfJhF0JLRGPM4A2Tk+gfANAmUAfaBjxU=; b=tIRRZCTr+pmYaTOgQUv8seiTQ/5axHsrSZwb/vHSTV6yOQYCxm5sxhr8/7hbpIRE8g XJfZuzu7eSinmYSuQ504yQdcTjOJ7MGqfrw9yOrRp6ain5hWWUJ3dv9m6PtR5J7GkVey TWy1bU4hS7J5HbL60q3fnXNal0DqV7LalcCWA/RelMfnfpCCIVQF25ArjvtdOqTGvVp/ qXqaeCDRk2SyaNK2iFAiKgf8yTFJdYUaZU6Q8hiEhTd6q4rdB44UIn0iwhf8myOOrkNL Jfpi2l8Cvcn+aj5rhVn+jNiivxn8DDuDcWSi9F91Z2QSOHeWQnSGCrMaLuOJm1P3Nwwn dkUA== X-Gm-Message-State: AHPjjUg0LvWKZHjlSje01Y6d+R8sYRf7kYVbTtyH3zewGiVeK6PoZKkh pnE/OpCBozaY5B512G+M6rUKRsGLyTP8ZrpiZY6qWlGT1p79YItvmxWzz9gGfsPVkZDLD/cCtgP 6JKnXseB/C6xXvRS5WXon7ePpFG0+EuVuPLLNJ9sg0PGez+fb9fKiJrSHSqpzvP6y6CcBryDRi0 IdwT/IBMGJLyxs9NmYtJ/x6ouFD8LsCsk= X-Google-Smtp-Source: AOwi7QBw2wXZBcmq4iYuN4Ll18a9hYds5wA9dzos2vhwAPc+md2NilMhfNdKWoyPsRDlgStvl9lSvw== X-Received: by 10.31.15.4 with SMTP id 4mr204680vkp.191.1505947641619; Wed, 20 Sep 2017 15:47:21 -0700 (PDT) Received: from [172.16.0.27] (c-73-1-133-155.hsd1.fl.comcast.net. [73.1.133.155]) by smtp.gmail.com with ESMTPSA id w11sm7508vkw.1.2017.09.20.15.47.20 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Sep 2017 15:47:20 -0700 (PDT) From: Michael Crawford Content-Type: multipart/alternative; boundary="Apple-Mail=_7481B6EF-E00C-4BC4-87FB-3D6E833C09F6" Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: hiding aws secret key in connections Date: Wed, 20 Sep 2017 18:47:19 -0400 References: <8B0A20F0-6554-4D9C-8842-A3D4DB774FE8@modernizingmedicine.com> To: dev@airflow.incubator.apache.org In-Reply-To: Message-Id: <3CC4E15F-6359-4154-8A8A-D86F7B48772C@modernizingmedicine.com> X-Mailer: Apple Mail (2.3273) archived-at: Wed, 20 Sep 2017 22:47:33 -0000 --Apple-Mail=_7481B6EF-E00C-4BC4-87FB-3D6E833C09F6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 After some more research it appears that aws_hook in contrib/hooks = actually does do it the way I proposed with looking at the login and = password of the connection, but it doesn=E2=80=99t look at the extra = json for the access and secret keys. def get_client_type(self, client_type, region_name=3DNone): try: connection_object =3D self.get_connection(self.aws_conn_id) aws_access_key_id =3D connection_object.login aws_secret_access_key =3D connection_object.password if region_name is None: region_name =3D = connection_object.extra_dejson.get('region_name') except AirflowException: # No connection found: fallback on boto3 credential strategy # http://boto3.readthedocs.io/en/latest/guide/configuration.html aws_access_key_id =3D None aws_secret_access_key =3D None return boto3.client( client_type, region_name=3Dregion_name, aws_access_key_id=3Daws_access_key_id, aws_secret_access_key=3Daws_secret_access_key ) However the S3Hook looks for this info in a different using the older = boto library instead of boto3. =20 So it appears we have 2 different parts of airflow interacting with aws = but specifying their credentials in different ways. Thoughts? > On Sep 19, 2017, at 12:01 PM, Ali Uz wrote: >=20 > We use a dynamic config where we iterate through a JSON file, and all > sensitive info (like api keys, aws keys, etc...) are pulled from a = remote > k/v store when airflow starts and adds them as fields to the JSON = config > file. >=20 > On Tue, Sep 19, 2017 at 6:54 PM, Michael Crawford < > michael.crawford@modernizingmedicine.com> wrote: >=20 >> Did my message go through? I have never tried to send an email to = the >> list before, only silently monitored. >>=20 >> Does anyone have any ideas? I would be happy to create an issue and = code >> up the fix myself, but I just wanted to ping here first to make sure = I >> wasn=E2=80=99t missing anything and try to get a consensus on how to = handle this. >>=20 >> Thanks, >> Mike >>=20 >>> On Sep 18, 2017, at 8:03 PM, Michael Crawford > modernizingmedicine.com> wrote: >>>=20 >>> Hi, >>>=20 >>> I was wondering if anything had ever been proposed for having the = aws >> secret key hidden in the aws type connection. >>>=20 >>> Currently passing in these credentials is done by defining the some = json >> in the extra params section of the connection like >>> {"aws_access_key_id":"_your_aws_access_key_id_", >> "aws_secret_access_key": "_your_aws_secret_access_key_=E2=80=9D} >>>=20 >>> While this does work it leaves the secret access key in plain text = for >> anyone that has access to the connections. >>>=20 >>> I know there are other options about setting them as environment >> variables, but this doesn=E2=80=99t help if we need to define more = than one aws >> connection with different access keys. >>>=20 >>> Two things that immediately came to mind for how to do this: >>>=20 >>> 1. use login and password sections of the connection for the access = and >> secret keys so that the secret gets hidden and encrypted like all the = other >> passwords. >>> 2. have an option to encrypt the extra params >>>=20 >>> Option 1 seems most logical and should be too hard to implement. >>>=20 >>> Open to any ideas people might have on this. >>>=20 >>> Thanks, >>> Mike >>=20 >>=20 --Apple-Mail=_7481B6EF-E00C-4BC4-87FB-3D6E833C09F6--