Skip to content

providers

mlflow_secrets_auth.providers

Empty file to make providers a package.

aws_secrets_manager

AWS Secrets Manager authentication provider.

AWSSecretsManagerAuthProvider()

Bases: SecretsBackedAuthProvider

Authentication provider using AWS Secrets Manager.

Requires the optional dependency boto3.

Environment variables

AWS_REGION: AWS region (e.g., "eu-west-1"). Required. MLFLOW_AWS_SECRET_ID: Secret identifier or ARN. Required. MLFLOW_AWS_AUTH_MODE: "bearer" (default) or "basic". MLFLOW_AWS_TTL_SEC: Cache TTL in seconds (defaults to provider's default TTL).

Initialize the provider with a default TTL and lazy AWS client.

Source code in src/mlflow_secrets_auth/providers/aws_secrets_manager.py 
49
50
51
52
def __init__(self) -> None:
    """Initialize the provider with a default TTL and lazy AWS client."""
    super().__init__(PROVIDER_AWS, default_ttl=DEFAULT_TTL_SECONDS)
    self._secrets_client: Any | None = None  # boto3 client when available

azure_key_vault

Azure Key Vault authentication provider.

AzureKeyVaultAuthProvider()

Bases: SecretsBackedAuthProvider

Authentication provider using Azure Key Vault.

Requires optional dependencies: azure-identity and azure-keyvault-secrets.

Environment variables

AZURE_KEY_VAULT_URL: Full Key Vault URL (e.g., "https://myvault.vault.azure.net"). Required. MLFLOW_AZURE_SECRET_NAME: Secret name to retrieve. Required. MLFLOW_AZURE_AUTH_MODE: "bearer" (default) or "basic". MLFLOW_AZURE_TTL_SEC: Cache TTL in seconds (defaults to provider's default TTL).

Initialize the provider with a default TTL and a lazy SecretClient.

Source code in src/mlflow_secrets_auth/providers/azure_key_vault.py 
49
50
51
52
def __init__(self) -> None:
    """Initialize the provider with a default TTL and a lazy SecretClient."""
    super().__init__(PROVIDER_AZURE, default_ttl=DEFAULT_TTL_SECONDS)
    self._secret_client: Any | None = None  # azure.keyvault.secrets.SecretClient when available

vault

HashiCorp Vault authentication provider.

VaultAuthProvider()

Bases: SecretsBackedAuthProvider

Authentication provider using HashiCorp Vault.

Supports token and AppRole authentication via the hvac client (optional dependency). Secrets are retrieved from KV v2 when possible with a graceful fallback to KV v1.

Environment variables

VAULT_ADDR: Vault server address, e.g. "https://vault.example.com" VAULT_TOKEN: Vault token for direct authentication (optional). VAULT_ROLE_ID: AppRole role ID (used if VAULT_TOKEN is not provided). VAULT_SECRET_ID: AppRole secret ID (used if VAULT_TOKEN is not provided). MLFLOW_VAULT_SECRET_PATH: Secret path (e.g. "secret/mlflow/auth" or "secret/data/mlflow/auth"). MLFLOW_VAULT_AUTH_MODE: "bearer" (default) or "basic". MLFLOW_VAULT_TTL_SEC: Cache TTL in seconds (defaults to provider's default TTL).

Notes
  • When using KV v2, this implementation auto-detects common path formats and reads via client.secrets.kv.v2.read_secret_version.
  • For KV v1, it falls back to client.secrets.kv.v1.read_secret.
  • Secret dictionaries are JSON-encoded for centralized parsing in the base class.

Initialize the provider with a default TTL and a lazy hvac client.

Source code in src/mlflow_secrets_auth/providers/vault.py 
71
72
73
74
def __init__(self) -> None:
    """Initialize the provider with a default TTL and a lazy hvac client."""
    super().__init__(PROVIDER_VAULT, default_ttl=DEFAULT_TTL_SECONDS)
    self._vault_client: Any | None = None  # hvac.Client if available