Azure Key Vault Backend

To enable the Azure Key Vault as secrets backend, specify AzureKeyVaultBackend as the backend in [secrets] section of airflow.cfg.

Here is a sample configuration:

backend =
backend_kwargs = {"connections_prefix": "airflow-connections", "variables_prefix": "airflow-variables", "vault_url": ""}

For client authentication, the DefaultAzureCredential from the Azure Python SDK is used as credential provider, which supports service principal, managed identity and user credentials.

For example, to specify a service principal with secret you can set the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_SECRET.

Optional lookup

Optionally connections, variables, or config may be looked up exclusive of each other or in any combination. This will prevent requests being sent to Azure Key Vault for the excluded type.

If you want to look up some and not others in Azure Key Vault you may do so by setting the relevant *_prefix parameter of the ones to be excluded as null.

For example, if you want to set parameter connections_prefix to "airflow-connections" and not look up variables, your configuration file should look like this:

backend =
backend_kwargs = {"connections_prefix": "airflow-connections", "variables_prefix": null, "vault_url": ""}

Storing and Retrieving Connections

If you have set connections_prefix as airflow-connections, then for a connection id of smtp_default, you would want to store your connection at airflow-connections-smtp-default.

The value of the secret must be the connection URI representation of the connection object.

Storing and Retrieving Variables

If you have set variables_prefix as airflow-variables, then for an Variable key of hello, you would want to store your Variable at airflow-variables-hello.


There are 3 ways to authenticate Azure Key Vault backend.

  1. Set tenant_id, client_id, client_secret (using ClientSecretCredential)

  2. Set managed_identity_client_id, workload_identity_tenant_id (using DefaultAzureCredential with these arguments)

  3. Not providing extra connection configuration for falling back to DefaultAzureCredential


For more details on client authentication refer to the DefaultAzureCredential Class reference.

Was this entry helpful?