Google Cloud Secret Manager Backend¶

This topic describes how to configure Airflow to use Secret Manager as a secret backend and how to manage secrets.

Before you begin¶

Before you start, make sure you have performed the following tasks:

Include sendgrid subpackage as part of your Airflow installation
```
pip install apache-airflow[google]
```
Configure Secret Manager and your local environment, once per project.

Enabling the secret backend¶

To enable the secret backend for Google Cloud Secrets Manager to retrieve connection/variables, specify CloudSecretManagerBackend as the backend in [secrets] section of airflow.cfg.

Here is a sample configuration if you want to use it:

[secrets]
backend = airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend

You can also set this with environment variables.

export AIRFLOW__SECRETS__BACKEND=airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend

You can verify the correct setting of the configuration options with the airflow config get-value command.

$ airflow config get-value secrets backend
airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend

Backend parameters¶

The next step is to configure backend parameters using the backend_kwargs options. You can pass the following parameters:

connections_prefix: Specifies the prefix of the secret to read to get Connections. Default: "airflow-connections"
variables_prefix: Specifies the prefix of the secret to read to get Variables. Default: "airflow-variables"
gcp_key_path: Path to Google Cloud Service Account Key file (JSON).
gcp_keyfile_dict: Dictionary of keyfile parameters.
gcp_scopes: Comma-separated string containing OAuth2 scopes.
sep: Separator used to concatenate connections_prefix and conn_id. Default: "-"
project_id: Project ID to read the secrets from. If not passed, the project ID from credentials will be used.

All options should be passed as a JSON dictionary.

For example, if you want to set parameter connections_prefix to "airflow-tenant-primary" and parameter variables_prefix to "variables_prefix", your configuration file should look like this:

[secrets]
backend = airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend
backend_kwargs = {"connections_prefix": "airflow-tenant-primary", "variables_prefix": "airflow-tenant-primary"}

Set-up credentials¶

You can configure the credentials in three ways:

By default, Application Default Credentials (ADC) is used obtain credentials.
gcp_key_path option in backend_kwargs option - allows you to configure authorizations with a service account stored in local file.
gcp_keyfile_dict option in backend_kwargs option - allows you to configure authorizations with a service account stored in Airflow configuration.

Note

For more information about the Application Default Credentials (ADC), see:

google.auth.default

Setting Up Authentication for Server to Server Production Applications

Managing secrets¶

If you want to configure a connection, you need to save it as a connection URI representation. Variables should be saved as plain text.

In order to manage secrets, you can use the gcloud tool or other supported tools. For more information, take a look at: Managing secrets in Google Cloud Documentation.

The name of the secret must fit the following formats:

for connection: [variable_prefix][sep][connection_name]

for variable: [connections_prefix][sep][variable_name]

for Airflow config: [config_prefix][sep][config_name]

where:

connections_prefix - fixed value defined in the connections_prefix parameter in backend configuration. Default: airflow-connections.

variable_prefix - fixed value defined in the variable_prefix parameter in backend configuration. Default: airflow-variables.

config_prefix - fixed value defined in the config_prefix parameter in backend configuration. Default: airflow-config.

sep - fixed value defined in the sep parameter in backend configuration. Default: -.

The Cloud Secrets Manager secret name should follow the pattern ^[a-zA-Z0-9-_]*$.

If you have the default backend configuration and you want to create a connection with conn_id equals first-connection, you should create secret named airflow-connections-first-connection. You can do it with the gcloud tools as in the example below.

$ echo "mysql://example.org" | gcloud beta secrets create \
    airflow-connections-first-connection \
    --data-file=- \
    --replication-policy=automatic
Created version [1] of the secret [airflow-variables-first-connection].

      
    

If you have the default backend configuration and you want to create a variable named first-variable, you should create a secret named airflow-variables-first-variable. You can do it with the gcloud command as in the example below.

$ echo "secret_content" | gcloud beta secrets create \
    airflow-variables-first-variable \
    --data-file=-\
    --replication-policy=automatic
Created version [1] of the secret [airflow-variables-first-variable].

      
    

Checking configuration¶

You can use the airflow connections get command to check if the connection is correctly read from the backend secret:

$ airflow connections get first-connection
Id: null
Conn Id: first-connection
Conn Type: mysql
Host: example.org
Schema: ''
Login: null
Password: null
Port: null
Is Encrypted: null
Is Extra Encrypted: null
Extra: {}
URI: mysql://example.org

      
    

To check the variables is correctly read from the backend secret, you can use airflow variables get:

$ airflow variables get first-variable
secret_content

Clean up¶

To avoid incurring charges to your Google Cloud account for the resources used in this guide, delete secrets by running gcloud beta secrets delete:

gcloud beta secrets delete airflow-connections-first-connection
gcloud beta secrets delete airflow-variables-first-variable