Add JWT/OIDC authentication support to Hashicorp Vault provider by piotrlinski · Pull Request #61439 · apache/airflow

piotrlinski · 2026-02-04T09:09:51Z

This adds JWT/OIDC authentication method support to the Hashicorp Vault provider, enabling token-less authentication through identity federation.

Key features:

New 'jwt' auth_type for VaultClient, VaultHook, and VaultBackend
Support for jwt_token parameter or automatic token retrieval from jwt_path
Configurable jwt_role for Vault role binding
Full backwards compatibility with existing auth methods

Use cases enabled:

Kubernetes workload identity with projected service account tokens
Cloud provider identity (AWS IAM roles, GCP Workload Identity, Azure AD)
CI/CD pipelines (GitHub Actions OIDC, GitLab CI)
External identity providers (Auth0, Okta, Keycloak)

Was generative AI tooling used to co-author this PR?

Yes (please specify the tool below)

Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
When adding dependency, check compliance with the ASF 3rd Party License Policy.
For significant user-facing changes create newsfragment: {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

This adds JWT/OIDC authentication method support to the Hashicorp Vault provider, enabling token-less authentication through identity federation. Key features: - New 'jwt' auth_type for VaultClient, VaultHook, and VaultBackend - Support for jwt_token parameter or automatic token retrieval from jwt_path - Configurable jwt_role for Vault role binding - Full backwards compatibility with existing auth methods Use cases enabled: - Kubernetes workload identity with projected service account tokens - Cloud provider identity (AWS IAM roles, GCP Workload Identity, Azure AD) - CI/CD pipelines (GitHub Actions OIDC, GitLab CI) - External identity providers (Auth0, Okta, Keycloak) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

boring-cyborg · 2026-02-04T09:09:54Z

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst)
Here are some useful points:

Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
Be sure to read the Airflow Coding style.
Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
Apache Airflow is a community-driven project and together we are making it better 🚀.
In case of doubts contact the developers at:
Mailing List: dev@airflow.apache.org
Slack: https://s.apache.org/airflow-slack

This adds JWT/OIDC authentication method support to the Hashicorp Vault provider, enabling token-less authentication through identity federation. Key features: - New 'jwt' auth_type for VaultClient, VaultHook, and VaultBackend - Support for jwt_token parameter or automatic token retrieval from jwt_token_path - Default jwt_token_path set to /var/run/secrets/kubernetes.io/serviceaccount/token (standard Kubernetes service account token path) - Configurable jwt_role for Vault role binding - Full backwards compatibility with existing auth methods Use cases enabled: - Kubernetes workload identity with projected service account tokens - Cloud provider identity (AWS IAM roles, GCP Workload Identity, Azure AD) - CI/CD pipelines (GitHub Actions OIDC, GitLab CI) - External identity providers (Auth0, Okta, Keycloak) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

…client/vault_client.py Co-authored-by: Wei Lee <weilee.rx@gmail.com>

…t.py Co-authored-by: Wei Lee <weilee.rx@gmail.com>

…client/vault_client.py Co-authored-by: Wei Lee <weilee.rx@gmail.com>

Lee-W

a few nits, but overall looks good

Lee-W · 2026-02-06T08:45:12Z

there is still one thing I am not sure, I made the default path for the jwt_token_path like for kubernetes (usually it goes with kubernets), however the JWT method does not have to be anyhow related to k8s, therefor not sure if we should keep it as default or remove - you need to pass the jwt_token (string) or jwt_token_path(path to a file with a token)

Pass it might be better as it doesn't always goes with k8s

Replace assert_called_with with call_args_list assertions in JWT tests to verify exact number of calls. Inline kwargs dicts directly into VaultHook() constructor calls where they are only used once. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Lee-W · 2026-02-07T02:39:52Z

@jason810496 would appreciate a second pair of eyes. Thanks!

jason810496

Thank you for the PR! LGTM overall.

- fix documentaion - minor fiex

JWT is a general-purpose Vault auth method, not tied to Kubernetes. Remove the DEFAULT_JWT_TOKEN_PATH constant (which pointed to the K8s service account token path) and its fallback in VaultHook. Users must now explicitly provide either jwt_token or jwt_token_path when using JWT auth, otherwise _VaultClient raises a clear validation error. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

boring-cyborg · 2026-02-09T13:56:45Z

Awesome work, congrats on your first merged pull request! You are invited to check our Issue Tracker for additional contributions.

…he#61439) * Add JWT/OIDC authentication support to Hashicorp Vault provider This adds JWT/OIDC authentication method support to the Hashicorp Vault provider, enabling token-less authentication through identity federation. Key features: - New 'jwt' auth_type for VaultClient, VaultHook, and VaultBackend - Support for jwt_token parameter or automatic token retrieval from jwt_path - Configurable jwt_role for Vault role binding - Full backwards compatibility with existing auth methods Use cases enabled: - Kubernetes workload identity with projected service account tokens - Cloud provider identity (AWS IAM roles, GCP Workload Identity, Azure AD) - CI/CD pipelines (GitHub Actions OIDC, GitLab CI) - External identity providers (Auth0, Okta, Keycloak) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Update providers/hashicorp/src/airflow/providers/hashicorp/_internal_client/vault_client.py Co-authored-by: Wei Lee <weilee.rx@gmail.com> * Update providers/hashicorp/src/airflow/providers/hashicorp/hooks/vault.py Co-authored-by: Wei Lee <weilee.rx@gmail.com> * update the args order for methods * Update providers/hashicorp/src/airflow/providers/hashicorp/_internal_client/vault_client.py Co-authored-by: Wei Lee <weilee.rx@gmail.com> * apply fixes for oorder in new jwt parameter for docsstring * Address PR review: use stricter mock assertions and inline kwargs Replace assert_called_with with call_args_list assertions in JWT tests to verify exact number of calls. Inline kwargs dicts directly into VaultHook() constructor calls where they are only used once. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * - remove jwt token defaults - fix documentaion - minor fiex * Remove DEFAULT_JWT_TOKEN_PATH constant and K8s fallback from JWT auth JWT is a general-purpose Vault auth method, not tied to Kubernetes. Remove the DEFAULT_JWT_TOKEN_PATH constant (which pointed to the K8s service account token path) and its fallback in VaultHook. Users must now explicitly provide either jwt_token or jwt_token_path when using JWT auth, otherwise _VaultClient raises a clear validation error. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Wei Lee <weilee.rx@gmail.com>

piotrlinski requested a review from hussein-awala as a code owner February 4, 2026 09:09

boring-cyborg Bot added area:providers area:secrets kind:documentation provider:hashicorp Hashicorp provider related issues labels Feb 4, 2026

piotrlinski added 2 commits February 4, 2026 10:12

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

df1f034

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

7b3f585

piotrlinski force-pushed the feature/hashicorp-vault-jwt-auth branch from 67cfccc to e41fbc4 Compare February 4, 2026 12:08

piotrlinski force-pushed the feature/hashicorp-vault-jwt-auth branch from e41fbc4 to 8c4b25a Compare February 4, 2026 12:12

piotrlinski added 3 commits February 4, 2026 13:39

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

bf9fe02

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

326e37b

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

debb0a8

eladkal requested review from Lee-W and jason810496 February 5, 2026 08:08

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

74bea4a

Lee-W reviewed Feb 5, 2026

View reviewed changes

piotrlinski and others added 4 commits February 5, 2026 11:25

Update providers/hashicorp/src/airflow/providers/hashicorp/_internal_…

2c5d2e6

…client/vault_client.py Co-authored-by: Wei Lee <weilee.rx@gmail.com>

Update providers/hashicorp/src/airflow/providers/hashicorp/hooks/vaul…

5e8ca9a

…t.py Co-authored-by: Wei Lee <weilee.rx@gmail.com>

update the args order for methods

9878211

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

e953759

piotrlinski requested a review from Lee-W February 5, 2026 11:30

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

753969e

Lee-W reviewed Feb 5, 2026

View reviewed changes

Comment thread providers/hashicorp/src/airflow/providers/hashicorp/_internal_client/vault_client.py

Comment thread providers/hashicorp/src/airflow/providers/hashicorp/hooks/vault.py Outdated

piotrlinski and others added 2 commits February 5, 2026 15:19

Update providers/hashicorp/src/airflow/providers/hashicorp/_internal_…

23b26ac

…client/vault_client.py Co-authored-by: Wei Lee <weilee.rx@gmail.com>

apply fixes for oorder in new jwt parameter for docsstring

07bd4b3

piotrlinski requested a review from Lee-W February 5, 2026 14:21

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

4b82129

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

1c89bd3

Lee-W reviewed Feb 6, 2026

View reviewed changes

piotrlinski and others added 3 commits February 6, 2026 11:15

Merge branch 'apache:main' into feature/hashicorp-vault-jwt-auth

e48475f

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

d9e2ff8

piotrlinski requested a review from Lee-W February 6, 2026 12:29

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

6252917

Lee-W approved these changes Feb 6, 2026

View reviewed changes

piotrlinski added 2 commits February 6, 2026 14:56

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

2302112

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

c76a618

jason810496 reviewed Feb 7, 2026

View reviewed changes

Comment thread providers/hashicorp/src/airflow/providers/hashicorp/_internal_client/vault_client.py Outdated

Comment thread providers/hashicorp/src/airflow/providers/hashicorp/hooks/vault.py

piotrlinski and others added 4 commits February 7, 2026 15:49

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

a74af6a

- remove jwt token defaults

5cfcec1

- fix documentaion - minor fiex

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

bdf6654

piotrlinski requested a review from jason810496 February 9, 2026 07:50

piotrlinski added 2 commits February 9, 2026 10:11

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

481755f

Merge branch 'main' into feature/hashicorp-vault-jwt-auth

df0bed3

jason810496 merged commit 43b5193 into apache:main Feb 9, 2026
86 checks passed

shahar1 mentioned this pull request Feb 11, 2026

Status of testing Providers that were prepared on February 10, 2026 #61766

Closed

81 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add JWT/OIDC authentication support to Hashicorp Vault provider#61439

Add JWT/OIDC authentication support to Hashicorp Vault provider#61439
jason810496 merged 30 commits into
apache:mainfrom
piotrlinski:feature/hashicorp-vault-jwt-auth

piotrlinski commented Feb 4, 2026 •

edited

Loading

Uh oh!

boring-cyborg Bot commented Feb 4, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Lee-W left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Lee-W commented Feb 6, 2026

Uh oh!

Lee-W commented Feb 7, 2026

Uh oh!

jason810496 left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

boring-cyborg Bot commented Feb 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

piotrlinski commented Feb 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Was generative AI tooling used to co-author this PR?

Uh oh!

boring-cyborg Bot commented Feb 4, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Lee-W left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Lee-W commented Feb 6, 2026

Uh oh!

Lee-W commented Feb 7, 2026

Uh oh!

jason810496 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

boring-cyborg Bot commented Feb 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

piotrlinski commented Feb 4, 2026 •

edited

Loading