Unable to reach Vault server from Airflow application

Question

I am trying to setup Vault as s secrets backend with Airflow on my local machine with docker-compose but unable to make a connection. I building on top of Official Airflow docker-compose file. I have added Vault as a service and added VAULT_ADDR=http://vault:8200 as environment variable for the Airflow application.

In one of my dag, I am trying to fetch a secret from the Vault but I am getting connection refused.

When the services are running, I can access Vault CLI and create secrets which means that Vault is running fine. I also tried docker compose exec -- airflow-webserver curl http://vault:8200 to see if there's some issue with the dag but I get the same connection refused error. I also tried docker compose exec -- airflow-webserver curl http://flower:5555 just to see if the docker networking is working fine and it returned the correct response from flower service.

# example dag
from airflow.decorators import dag, task
from airflow.hooks.base import BaseHook
from airflow.utils.dates import days_ago

default_args = {
    'owner': 'BooHoo'
}


@dag(default_args=default_args, schedule_interval=None, start_date=days_ago(2), tags=['example'])
def get_secrets():
    @task()
    def get():
        conn = BaseHook.get_connection(conn_id='slack_conn_id')
        print(f"Password: {conn.password}, Login: {conn.login}, URI: {conn.get_uri()}, Host: {conn.host}")

    get()


get_secrets_dag = get_secrets()

Here's the docker compose file.

version: '3'
x-airflow-common:
  &airflow-common
  image: apache/airflow:2.1.0-python3.7
  environment:
    &airflow-common-env
    AIRFLOW__CORE__EXECUTOR: CeleryExecutor
    AIRFLOW__CORE__SQL_ALCHEMY_CONN: postgresql+psycopg2://airflow:airflow@postgres/airflow
    AIRFLOW__CELERY__RESULT_BACKEND: db+postgresql://airflow:airflow@postgres/airflow
    AIRFLOW__CELERY__BROKER_URL: redis://:@redis:6379/0
    AIRFLOW__CORE__FERNET_KEY: ''
    AIRFLOW__CORE__DAGS_ARE_PAUSED_AT_CREATION: 'true'
    AIRFLOW__CORE__LOAD_EXAMPLES: 'false'   # default is true
    AIRFLOW__WEBSERVER__EXPOSE_CONFIG: 'true'
    #    AIRFLOW__API__AUTH_BACKEND: 'airflow.api.auth.backend.basic_auth'
    AIRFLOW__SECRETS__BACKEND: 'airflow.providers.hashicorp.secrets.vault.VaultBackend'
    AIRFLOW__SECRETS__BACKEND_KWARGS: '{"connections_path": "connections", "variables_path": "variables", "mount_point": "secrets", "token": "${VAULT_DEV_ROOT_TOKEN_ID}"}'
    VAULT_ADDR: 'http://vault:8200'
    SLACK_WEBHOOK_URL: "${SLACK_WEBHOOK_URL}"
  volumes:
    - ./src/dags:/opt/airflow/dags
    - ./logs:/opt/airflow/logs
  user: "${AIRFLOW_UID:-50000}:${AIRFLOW_GID:-50000}"
  depends_on:
    redis:
      condition: service_healthy
    postgres:
      condition: service_healthy
    vault:
      condition: service_healthy

services:
  vault:
    image: vault:latest
    ports:
      - "8200:8200"
    environment:
      VAULT_ADDR: 'http://0.0.0.0:8200'
      VAULT_DEV_ROOT_TOKEN_ID: "${VAULT_DEV_ROOT_TOKEN_ID}"
    cap_add:
      - IPC_LOCK
    command: vault server -dev
    healthcheck:
      test: [ "CMD", "vault", "status" ]
      interval: 5s
      retries: 5
    restart: always

  postgres:
    # service configuration
    

  redis:
    # service configurations

  airflow-webserver:
    <<: *airflow-common
    command: webserver
    ports:
      - "8080:8080"
    healthcheck:
      test: [ "CMD", "curl", "--fail", "http://localhost:8080/health" ]
      interval: 10s
      timeout: 10s
      retries: 5
    restart: always

  airflow-scheduler:
    <<: *airflow-common
    command: scheduler
    healthcheck:
      test: [ "CMD-SHELL", 'airflow jobs check --job-type SchedulerJob --hostname "$${HOSTNAME}"' ]
      interval: 10s
      timeout: 10s
      retries: 5
    restart: always

  airflow-worker:
    <<: *airflow-common
    command: celery worker
    healthcheck:
      test:
        - "CMD-SHELL"
        - 'celery --app airflow.executors.celery_executor.app inspect ping -d "celery@$${HOSTNAME}"'
      interval: 10s
      timeout: 10s
      retries: 5
    restart: always

  airflow-init:
    <<: *airflow-common
    command: version
    environment:
      <<: *airflow-common-env
      _AIRFLOW_DB_UPGRADE: 'true'
      _AIRFLOW_WWW_USER_CREATE: 'true'
      _AIRFLOW_WWW_USER_USERNAME: ${_AIRFLOW_WWW_USER_USERNAME:-airflow}
      _AIRFLOW_WWW_USER_PASSWORD: ${_AIRFLOW_WWW_USER_PASSWORD:-airflow}

  flower:
    <<: *airflow-common
    # service configuration

volumes:
  postgres-db-volume:

Answer 1

I think you need to specify dev listen address in your command:

vault server -dev -dev-listen-address="0.0.0.0:8200"

or set

VAULT_DEV_LISTEN_ADDRESS to 0.0.0.0:8200

Here are the docs: https://www.vaultproject.io/docs/commands/server#dev-options