{"id":7931,"library":"apache-airflow-providers-hashicorp","title":"Apache Airflow Hashicorp Provider","description":"The Apache Airflow Hashicorp Provider package integrates Apache Airflow with Hashicorp products like Vault and Consul. It offers hooks, operators, and secrets backends for managing secrets and interacting with Hashicorp services. The current version is 4.5.2 and it follows a regular release cadence, often aligning with Apache Airflow's major and minor releases, as well as independent updates for features and bug fixes.","status":"active","version":"4.5.2","language":"en","source_language":"en","source_url":"https://github.com/apache/airflow/tree/main/airflow/providers/hashicorp","tags":["airflow","hashicorp","vault","secrets","provider"],"install":[{"cmd":"pip install apache-airflow-providers-hashicorp","lang":"bash","label":"Install the provider"}],"dependencies":[{"reason":"This is an Airflow provider and requires a compatible Airflow installation (>=2.2.0 for provider 4.x).","package":"apache-airflow","optional":false},{"reason":"The Hashicorp Vault client library, used by the Vault hook and secrets backend.","package":"hvac","optional":false}],"imports":[{"note":"Old contrib package imports are deprecated and removed in Airflow 2.0+.","wrong":"from airflow.contrib.hooks.vault_hook import VaultHook","symbol":"HashicorpVaultHook","correct":"from airflow.providers.hashicorp.hooks.vault import HashicorpVaultHook"},{"note":"Operators moved from 'contrib' to specific provider packages in Airflow 2.0+.","wrong":"from airflow.contrib.operators.vault_operator import VaultOperator","symbol":"VaultOperator","correct":"from airflow.providers.hashicorp.operators.vault import VaultOperator"},{"note":"This is the correct path for the Vault secrets backend class.","symbol":"VaultBackend","correct":"from airflow.providers.hashicorp.secrets.vault import VaultBackend"}],"quickstart":{"code":"import os\nfrom datetime import datetime\n\nfrom airflow.models.dag import DAG\nfrom airflow.providers.hashicorp.operators.vault import VaultOperator\n\n# Ensure you have a 'vault_default' connection configured in Airflow with appropriate Vault address and authentication details.\n# For local testing, you might need a local Vault instance and a token.\n# Example: 'vault_default' connection type: 'Hashicorp Vault', Host: 'http://localhost:8200', Login: 'token', Password: 'your_vault_token'\n\nwith DAG(\n    dag_id='example_vault_read_secret',\n    start_date=datetime(2023, 1, 1),\n    schedule=None,\n    catchup=False,\n    tags=['vault', 'secrets'],\n) as dag:\n    read_secret = VaultOperator(\n        task_id='read_my_secret',\n        vault_conn_id='vault_default', # Ensure this connection is configured\n        secret_path='secret/data/my-app/db-creds', # Example path, replace with your actual secret path\n        key='username', # The specific key within the secret to retrieve\n        result_key='retrieved_db_username', # XCom key to store the result\n        # Optional: You can specify an output_format, e.g., 'json' or 'plain'\n    )\n\n    # The retrieved value will be pushed to XCom under 'retrieved_db_username'\n    # You can access it in subsequent tasks like this:\n    # from airflow.decorators import task\n    # @task\n    # def use_secret_value(**kwargs):\n    #     secret_value = kwargs['ti'].xcom_pull(task_ids='read_my_secret', key='retrieved_db_username')\n    #     print(f\"Retrieved DB Username: {secret_value}\")\n    #\n    # use_secret_value()","lang":"python","description":"This example DAG demonstrates how to use the `VaultOperator` to read a specific key from a secret stored in Hashicorp Vault. It requires a configured 'vault_default' Airflow connection pointing to your Vault instance with appropriate authentication."},"warnings":[{"fix":"Update all imports from `airflow.contrib.hooks.vault_hook` or `airflow.contrib.operators.vault_operator` to `airflow.providers.hashicorp.hooks.vault` and `airflow.providers.hashicorp.operators.vault` respectively.","message":"Airflow providers were refactored in Airflow 2.0+. All `airflow.contrib` imports for Hashicorp components are removed. Using old import paths will result in `ModuleNotFoundError`.","severity":"breaking","affected_versions":"Airflow 2.0.0+ (provider versions 1.x and higher)"},{"fix":"Set `AIRFLOW__SECRETS__BACKEND=airflow.providers.hashicorp.secrets.vault.VaultBackend` and `AIRFLOW__SECRETS__BACKEND_KWARGS='{\"vault_url\": \"http://localhost:8200\", \"vault_token\": \"my-token\"}'` (or other auth methods) in your Airflow environment. Consult documentation for specific auth methods.","message":"Configuring the Vault secrets backend (`VaultBackend`) requires specific Airflow environment variables (`AIRFLOW__SECRETS__BACKEND`, `AIRFLOW__SECRETS__BACKEND_KWARGS`). Misconfiguration often leads to secrets not being fetched or authentication errors.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Double-check your Vault connection details in Airflow, ensure the authentication method (token, AppRole, Kubernetes) is correctly configured both in Airflow connection and on the Vault server, and that the credentials have the necessary policies/permissions to access the specified secrets.","message":"Vault authentication can be complex, and issues often manifest as `hvac.exceptions.VaultError`. Common pitfalls include incorrect tokens, expired credentials, or misconfigured AppRole/Kubernetes authentication.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure an Airflow connection with the specified `vault_conn_id` (e.g., 'vault_default') is created in the Airflow UI (Admin -> Connections) or define it via environment variables (e.g., `AIRFLOW_CONN_VAULT_DEFAULT=vault://<token>@<host>:8200/`).","message":"The `VaultOperator` and `HashicorpVaultHook` rely on an Airflow connection. If the `vault_conn_id` specified in your DAG does not exist or is misconfigured, tasks will fail with connection errors.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Update imports to use the new provider path: `from airflow.providers.hashicorp.hooks.vault import HashicorpVaultHook`.","cause":"Attempting to import an Airflow provider component from the deprecated `airflow.contrib` package.","error":"ModuleNotFoundError: No module named 'airflow.contrib.hooks.vault_hook'"},{"fix":"Verify that the Vault token or authentication method used in the Airflow connection has the necessary policies attached to read from or write to the desired Vault path.","cause":"The Vault credentials (token, AppRole, etc.) used by the Airflow connection do not have sufficient permissions to access the specified secret path.","error":"hvac.exceptions.VaultError: (403, 'permission denied')"},{"fix":"Create a new 'Hashicorp Vault' connection in the Airflow UI (Admin -> Connections) or define it via environment variables (e.g., `AIRFLOW_CONN_VAULT_DEFAULT=vault://<token>@<host>:8200/`).","cause":"The Airflow connection ID specified in the operator or hook is not configured in Airflow.","error":"airflow.exceptions.AirflowException: The conn_id `vault_default` isn't defined!"},{"fix":"Ensure the Kubernetes auth method is enabled and configured on your Vault server, and that the `kubernetes_mount_point` in your Airflow Vault connection (or `backend_kwargs`) matches its path.","cause":"Trying to use Kubernetes authentication but the Kubernetes auth method is not enabled or configured on the Vault server at the expected path.","error":"hvac.exceptions.InvalidRequest: no handler for route 'v1/auth/kubernetes/login'"}]}