Skip to main content

Configure an external secrets backend on Astro

Apache Airflow variables and connections often contain sensitive information about your external systems that should be kept secret in a secure, centralized location that complies with your organization's security requirements.

While secret values of Airflow variables and connections are encrypted in the Airflow metadata database of every Deployment, Astronomer recommends integrating with a secrets backend tool.

Benefits

Integrating a secrets backend tool with Astro allows you to:

  • Store Airflow variables and connections in a centralized location alongside secrets from other tools and systems used by your organization, including Kubernetes secrets, SSL certificates, and more.
  • Comply with internal security postures and policies that protect your organization.
  • Recover in the case of an incident.
  • Automatically pull Airflow variables and connections that are already stored in your secrets backend when you create a new Deployment instead of having to set them manually in the Airflow UI.

Astro integrates with the following secrets backend tools:

  • Hashicorp Vault
  • AWS Systems Manager Parameter Store
  • AWS Secrets Manager
  • Google Cloud Secret Manager
  • Azure Key Vault

Secrets backend integrations are configured individually with each Astro Deployment.

info

If you enable a secrets backend on Astro, you can continue to define Airflow variables and connections either as environment variables or in the Airflow UI as needed. If set via the Airflow UI, variables and connections are stored as encrypted values in Airflow's metadata database.

Airflow checks for the value of an Airflow variable or connection in the following order:

  1. Secrets backend
  2. Environment variable
  3. The Airflow UI
tip

Setting Airflow connections via secrets requires knowledge of how to generate Airflow connection URIs. If you plan to store Airflow connections on your secrets backend, read the Apache Airflow documentation for guidance on how to generate a connection URI.

Setup

This topic provides setup steps for configuring AWS Secrets Manager as a secrets backend on Astro.

Prerequisites

Add Airflow secrets to Secrets Manager

Create directories for Airflow variables and connections in AWS Secrets Manager that you want to store as secrets. You can use real or test values.

  • When setting the secret type, choose Other type of secret and select the Plaintext option.
  • If creating a connection URI or a non-dict variable as a secret, remove the brackets and quotations that are pre-populated in the plaintext field.
  • The secret name is assigned after providing the plaintext value and clicking Next.

Secret names must correspond with the connections_prefix and variables_prefix set below in step 2. Specifically:

  • If you use "variables_prefix": "airflow/variables", you must set Airflow variable names as:

    airflow/variables/<variable-key>
  • The <variable-key> is how you will retrieve that variable's value in a DAG. For example:

    my_var = Variable.get("variable-key>")
  • If you use "connections_prefix": "airflow/connections", you must set Airflow connections as:

    airflow/connections/<connection-id>
  • The <connection-id> is how you will retrieve that connection's URI in a DAG. For example:

    conn = BaseHook.get_connection(conn_id="<connection-id>")
  • Be sure to not include a leading / at the beginning of your variable or connection name

For more information on adding secrets to Secrets Manager, see AWS documentation.

Set up Secrets Manager locally

Add the following environment variables to your Astro project's .env file:

AIRFLOW__SECRETS__BACKEND=airflow.providers.amazon.aws.secrets.secrets_manager.SecretsManagerBackend
AIRFLOW__SECRETS__BACKEND_KWARGS={"connections_prefix": "airflow/connections", "variables_prefix": "airflow/variables", "role_arn": "<your-role-arn>", "region_name": "<your-region>"}

You can now run a DAG locally to check that your variables are accessible using Variable.get("<your-variable-key>").

Deploy environment variables to Astro

  1. Run the following commands to export your secrets backend configurations as environment variables to Astro.

    $ astro deployment variable create --deployment-id <your-deployment-id> AIRFLOW__SECRETS__BACKEND=airflow.providers.amazon.aws.secrets.secrets_manager.SecretsManagerBackend

    $ astro deployment variable create --deployment-id <your-deployment-id> AIRFLOW__SECRETS__BACKEND_KWARGS={"connections_prefix": "airflow/connections", "variables_prefix": "airflow/variables", "role_arn": "<your-role-arn>", "region_name": "<your-region>"} --secret
  2. Optional. Remove the environment variables from your .env file or store your .env file in a safe location to protect your credentials in AIRFLOW__SECRETS__BACKEND_KWARGS.

To further customize the Airflow and AWS SSM Parameter Store integration, see the full list of available kwargs.