This is a secrets backend for CyberArk CCP (central credential provider) for the Apache Airflow platform. It will allow one to pull connections and variables from their CyberArk safes via the CCP.
This library has been tested with Airflow 1.10.14.
Documentation for CyberArk CCP can be found here .
Documentation for Airflow secrets backends can be found here
pip install airflow-cyberark-secrets-backend
Update your airflow.cfg
with the following
[secrets]
backend = airflow_cyberark_secrets_backend.CyberArkSecretsBackend
backend_kwargs = {"app_id": "", "ccp_url": "", "safe": "", "verify": "/path/to/ssl/cert.pem" }
The backend_kwargs:
- app_id : The application ID for CCP
- ccp_url : The host URL for CCP AIM, excluding query params
- safe : The secrets safe
- verify : The SSL cert path to for CCP SSL, can be False for disable, can be env var
CYBERARK_SSL
, defaultFalse
This library expects and requires your CyberArk response to have the the following properties (will be mapped mapped to Airflow keys). This map is a band-aid required from the little configuration CyberArk PAM (11.xx) allows.
- AccountDescription : svc_account
- ApplicationName : schema
- Address : host
- Comment : extra
- Content : password
- LogonDomain : login
- Port : port
AccountDescription : svc_account field is used to fetch password from rotating secret where the fetched secret is static, i.e. if you fetch
secret1
which is static, if you specify the CCP URL forsecret2
which rotates it will fetch metadata forsecret1
and fill in password fromsecret2
in its response
PRs welcomed.
The following will install in editable mode with all required development tools.
git clone https://github.com/jkornblum/airflow-cyberark-secrets-backend.git
cd airflow-cyberark-secrets-backend
pip install -e '.[dev]'
Please format (black
) and lint (pylint
) before submitting PR.