The setup steps covers the use of the managed version of the AWS Systems Manager Parameter Store as secrets manager but for the non-managed follow only the steps related to the Airflow server and CLI.
These are the permissions required in the IAM policy to enable the AWS Systems Manager Parameter Store in OpenMetadata.
We have to set up the secret manager provider we want to use, that in our case is
aws-ssm, and the credentials for our AWS account.
The changes to be done in
openmetadata.yaml file of the OpenMetadata server are:
And these are the changes required in
airflow.cfg of our Airflow instance:
As an alternative to editing the
airflow.cfg file, we can also set the following environment variables:
If no parameters are provided for the AWS account, or only
<aws region>, it will use the default credentials. The default credential will look for credentials in:
- Environment variables -
- Shared credential file -
- AWS config file -
- Assume Role provider
- Instance metadata service on an Amazon EC2 instance that has an IAM role configured
After updating the configuration files, we are ready to restart both services. When the OM server starts, it will automatically detect that a Secrets Manager has been configured and will migrate all our sensitive data and remove it from our DB.
If everything goes as planned, all the data would be displayed using the parameters names which starts with
/openmetadata/... in your AWS Systems Manager Parameter Store console. The following image shows what it should look like:
Note: If we want to change the starting path for our secrets names from
openmetadata to a different one, we have to change the property
clusterName in our
After enabling the Secret Manager, we also have to make a slight change in our workflows YAML files. In the
workflowConfig we have to add the secret manager configuration:
Then, in the environment running the CLI make sure to have an environment variable
AWS_DEFAULT_REGION with the rest of the required configurations from AWS.
If you enabled the Secret Manager and you are using your own Airflow to run the ingestions, make sure to configure your YAML files as:
and follow the same environment variables to set up the Airflow configuration: