Airflow Connection Encryption Fix
In this tutorial, you'll learn about Airflow Connection Encryption Fix. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
Airflow connection passwords are visible in the UI:
Admin > Connections > Click on a connection
Password: mydatabasepassword # Plain text!
Airflow stores connection passwords in the database. By default, they are stored with Fernet encryption using a key in airflow.cfg. If fernet_key is not set, passwords are stored in plain text. Additionally, connection extra JSON may contain unencrypted sensitive data.
Step-by-Step Fix
1. Generate and set a Fernet key
WRONG — no Fernet key means unencrypted passwords:
[core]
fernet_key =
RIGHT — generate a Fernet key:
# Generate a Fernet key
python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
# Output: 5aU9xVvYnC3y8QzR2wLmNpQrStUvWxYz=
Set it in airflow.cfg:
[core]
fernet_key = 5aU9xVvYnC3y8QzR2wLmNpQrStUvWxYz=
Or via environment variable:
export AIRFLOW__CORE__FERNET_KEY=5aU9xVvYnC3y8QzR2wLmNpQrStUvWxYz=
2. Re-encrypt existing connections
After setting the Fernet key, re-encrypt existing connections:
# Access Airflow shell
airflow shell
# Re-encrypt all connections
from airflow.models import Connection
from airflow.utils.db import reflect_metadata
connections = Connection.query.all()
for conn in connections:
conn.rotate_fernet_key()
Then restart the webserver and scheduler:
airflow webserver restart
airflow scheduler restart
3. Mask passwords in the UI
WRONG — passwords visible to all Airflow users:
RIGHT — control UI visibility:
[webserver]
show_connection_password = False # Hides password fields in the UI
Users with "Admin" role can still see passwords. For stricter control:
[webserver]
rbac = True # Role-based access control
4. Use a Secrets backend
[secrets]
backend = airflow.providers.hashicorp.vault.secrets.vault.VaultBackend
backend_kwargs = {
"connections_prefix": "connections",
"variables_prefix": "variables",
"vault_conn_id": "vault_default",
"mount_point": "airflow"
}
Then store connections in HashiCorp Vault:
vault kv put airflow/connections/my_db \
conn_type=postgres \
host=db.example.com \
login=admin \
password=supersecret
5. Encrypt connection extras
WRONG — sensitive data in extras:
{
"aws_access_key_id": "AKIAXXX",
"aws_secret_access_key": "supersecret"
}
RIGHT — use the Secrets backend or store only references:
{
"aws_profile": "production",
"role_arn": "arn:aws:iam::123456:role/airflow-role"
}
Use IAM roles or service principals instead of access keys.
6. Use SSL/TLS for database connections
[core]
sql_alchemy_conn = postgresql+psycopg2://user:pass@host:5432/airflow?sslmode=require
[celery]
result_backend = db+postgresql://user:pass@host:5432/airflow?sslmode=require
Expected output: connection passwords are stored encrypted in the database.
Prevention
- Always set
fernet_keywhen deploying Airflow in production. - Mask connection passwords in the UI with
show_connection_password = False. - Use a Secrets backend (Vault, AWS SSM, GCP Secret Manager) for production.
- Enable SSL/TLS for database connections.
- Audit connections regularly for exposed credentials.
Common Mistakes with connection encrypt
- Using
returnto exit a function early instead of wrapping a pure value in the monad - Mixing let bindings with <- bindings in do notation, producing type errors
- Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors
These mistakes appear frequently in real-world AIRFLOW code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro