AAI Tokens lifecycle

• Hashicorp advantage is in comparison with Airflow connections, that the database is encrypted when instance shuts down, so the admin should enter password to encrypt
• Connection with service account to hashicorp
  • hashicorp stores all users offline tokens
  • offline token is firstly created in security manager of airflow instance (decide by reading attribute of user in token(keycloak attribute) )
  • offline tokens has infinite validity (until revoked due to some accidents)
  • revoke offline tokens when deactivating users
• To assure correct access by all user (nobody can gather any offline token of the others), then establishing auditor for verifying custom dags in Python is required. This ensures that no arbitrary code will be present in the DAGs.
• Responsible persons: @martin.golasowski, @voj189, @jan.swiatkowski