Google OpenID authentication¶
Note
This authentication mechanism only works for Airflow 2.x
You can also configure Google OpenID for authentication. To enable it, set the following option in the configuration:
[api]
auth_backends = airflow.providers.google.common.auth_backend.google_openid
It is also highly recommended to configure an OAuth2 audience so that the generated tokens are restricted to use by Airflow only.
[api]
google_oauth2_audience = project-id-random-value.apps.googleusercontent.com
Warning
User identity is matched by email address
This backend authenticates a request by matching the verified email
claim of the Google ID token against an existing Airflow user’s email. Email
addresses are mutable and can be reassigned between Google identities (for
example when an employee leaves and the address is recycled to a new hire, or
via domain recycling). The immutable sub (subject) claim is not consulted,
so a Google identity that comes to hold a previously-used address could
authenticate as the Airflow user still mapped to it.
Treat the email-to-user mapping as part of your identity lifecycle:
deprovision (or re-map) the Airflow user whenever its email is reassigned,
and do not recycle an address to a different identity while an Airflow account
is still mapped to it. Restricting google_oauth2_audience to your own
deployment (above) keeps tokens minted for unrelated audiences out of scope.
You can also configure the CLI to send request to a remote API instead of making a query to a local database.
[cli]
api_client = airflow.api.client.json_client
endpoint_url = http://remote-host.example.org/
You can also set up a service account key. If omitted, authorization based on the Application Default Credentials will be used.
[cli]
google_key_path = <KEY_PATH>
You can get the authorization token with the gcloud auth print-identity-token command. An example request
look like the following.
ENDPOINT_URL="http://localhost:8080" AUDIENCE="project-id-random-value.apps.googleusercontent.com" ID_TOKEN="$(gcloud auth print-identity-token "--audiences=${AUDIENCE}")" curl -X GET \ "${ENDPOINT_URL}/api/experimental/pools" \ -H 'Content-Type: application/json' \ -H 'Cache-Control: no-cache' \ -H "Authorization: Bearer ${ID_TOKEN}"