more explicit secrets path error messages (#55015) #59224

FoxHelms · 2025-12-08T23:28:08Z

^ Add meaningful description above
Read the Pull Request Guidelines for more information.
In case of fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in a newsfragment file, named {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

BasPH · 2025-12-09T09:00:36Z

For reference: #55015

BasPH

Hi @FoxHelms, thanks for opening the PR! #55015 states that the error message isn't meaningful when the variable/connection path exists, but the required keys "value" or "conn_uri" inside the Vault secret aren't found.

Those checks happen here:

airflow/providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py

Line 228 in 7a930fd

return response.get("value") if response else None
airflow/providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py

Line 247 in 7a930fd

return response.get("value") if response else None
airflow/providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py

Line 205 in 7a930fd

uri = response.get("conn_uri")

Currently, Airflow simply returns None (for variable/config) or an empty Connection, and doesn't tell the user those keys weren't found. It ends up throwing this rather generic error.

I think Airfow should be more explicit here: could you log a more meaningful error in the Vault provider? I'm thinking something like this (untested)?

if not response:
    return None

try:
    return response["value"]
except KeyError:
    self.log.warning('Vault secret %s fetched but does not have required key "value"', key)
    return None

airflow-core/src/airflow/models/variable.py

FoxHelms · 2025-12-10T02:45:37Z

Got it @BasPH, thanks for the feedback! I implemented your suggestion. I've tried to also test that the logger shows the correct warning, but I've been having trouble mocking it because its a BoundLoggerLazyProxy. Is this test sufficient?

BasPH · 2025-12-11T14:19:07Z

Tested this exact scenario on a live Vault, looking good:

Will check the unit test next

BasPH · 2025-12-11T14:20:12Z

@FoxHelms Can we replicate this check for fetching connections (which requires key "conn_uri") and config too?

FoxHelms · 2025-12-11T20:05:47Z

@BasPH I just updated get_config and get_connection. I'm not sure how to test get_connection because the function always returns a connection, and get_uri always returns a string. Maybe that unit test is unnecessary and displaying the warning message is sufficient?

providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py

providers/hashicorp/tests/unit/hashicorp/secrets/test_vault.py

Lee-W · 2026-01-06T02:24:47Z

Looks like there're some compatibility issues we need to resolve due to the log import

FoxHelms · 2026-01-08T06:01:03Z

Fixed!

pierrejeambrun · 2026-01-20T13:48:37Z

@BasPH The PR was updated, do you mind giving this another review to reconsider your request for change. :)

BasPH · 2026-01-20T14:52:10Z

Thanks for the persistence on this @FoxHelms!

* more explicit secrets path error messages * explicitly catch no value key error * reformat invalid path message * more explicit error getting vault config without value key * explicit error when vault conn_uri key not present * removing warnings from get connection * fixing invalid path message format * remove whitespace * mocking logs in unit test * simplify single use variables * fixing log patch package import * using back compatible package

boring-cyborg bot added area:providers provider:hashicorp Hashicorp provider related issues labels Dec 8, 2025

FoxHelms mentioned this pull request Dec 8, 2025

Improve error messaging for Hashicorp Vault secrets provider #55015

Closed

2 tasks

BasPH requested changes Dec 9, 2025

View reviewed changes

airflow-core/src/airflow/models/variable.py Outdated Show resolved Hide resolved

airflow-core/src/airflow/models/variable.py Outdated Show resolved Hide resolved

FoxHelms marked this pull request as ready for review December 15, 2025 21:51

FoxHelms requested review from XD-DENG, ashb and hussein-awala as code owners December 15, 2025 21:51

BasPH reviewed Dec 17, 2025

View reviewed changes

providers/hashicorp/src/airflow/providers/hashicorp/secrets/vault.py Outdated Show resolved Hide resolved

providers/hashicorp/tests/unit/hashicorp/secrets/test_vault.py Show resolved Hide resolved

providers/hashicorp/tests/unit/hashicorp/secrets/test_vault.py Outdated Show resolved Hide resolved

FoxHelms requested review from Lee-W, amoghrajesh, bugraoz93, ephraimbuddy, gopidesupavan, guan404ming, jason810496, jedcunningham, jscheffl, kaxil, mobuchowski, o-nikolas, potiuk, uranusjr, vatsrahul1001 and vincbeck as code owners December 17, 2025 18:31

FoxHelms force-pushed the hashicorp-secrets-errors branch 2 times, most recently from d70b5fa to eafb7fe Compare December 23, 2025 19:43

FoxHelms added 9 commits January 5, 2026 17:25

more explicit secrets path error messages

6d6a895

explicitly catch no value key error

1091f38

reformat invalid path message

dce2e7c

more explicit error getting vault config without value key

878dffc

explicit error when vault conn_uri key not present

4a039b3

removing warnings from get connection

08c4468

fixing invalid path message format

45ff983

remove whitespace

1af4f05

mocking logs in unit test

ec80c9d

Lee-W force-pushed the hashicorp-secrets-errors branch from ec41ad1 to ec80c9d Compare January 5, 2026 09:26

Lee-W approved these changes Jan 5, 2026

View reviewed changes

providers/hashicorp/tests/unit/hashicorp/secrets/test_vault.py Outdated Show resolved Hide resolved

providers/hashicorp/tests/unit/hashicorp/secrets/test_vault.py Outdated Show resolved Hide resolved

simplify single use variables

9830375

FoxHelms force-pushed the hashicorp-secrets-errors branch from 0a41906 to 9830375 Compare January 5, 2026 18:59

FoxHelms requested a review from BasPH January 5, 2026 19:00

FoxHelms added 2 commits January 7, 2026 23:41

fixing log patch package import

8d27c41

using back compatible package

3e00eab

Lee-W approved these changes Jan 8, 2026

View reviewed changes

BasPH approved these changes Jan 20, 2026

View reviewed changes

BasPH merged commit 57146f0 into apache:main Jan 20, 2026
85 checks passed

vincbeck mentioned this pull request Jan 28, 2026

Status of testing Providers that were prepared on January 28, 2026 #61165

Closed

85 tasks

more explicit secrets path error messages (#55015) #59224

more explicit secrets path error messages (#55015) #59224

Conversation

FoxHelms commented Dec 8, 2025

Uh oh!

BasPH commented Dec 9, 2025

Uh oh!

BasPH left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

FoxHelms commented Dec 10, 2025

Uh oh!

BasPH commented Dec 11, 2025

Uh oh!

BasPH commented Dec 11, 2025

Uh oh!

FoxHelms commented Dec 11, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Lee-W commented Jan 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

FoxHelms commented Jan 8, 2026

Uh oh!

pierrejeambrun commented Jan 20, 2026

Uh oh!

BasPH commented Jan 20, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Lee-W commented Jan 6, 2026 •

edited

Loading