Google OpenID authentication¶

Note

This authentication mechanism only works for Airflow 2.x

You can also configure Google OpenID for authentication. To enable it, set the following option in the configuration:

[api]
auth_backends = airflow.providers.google.common.auth_backend.google_openid

It is also highly recommended to configure an OAuth2 audience so that the generated tokens are restricted to use by Airflow only.

[api]
google_oauth2_audience = project-id-random-value.apps.googleusercontent.com

You can also configure the CLI to send request to a remote API instead of making a query to a local database.

[cli]
api_client = airflow.api.client.json_client
endpoint_url = http://remote-host.example.org/

You can also set up a service account key. If omitted, authorization based on the Application Default Credentials will be used.

[cli]
google_key_path = <KEY_PATH>

You can get the authorization token with the gcloud auth print-identity-token command. An example request look like the following.

ENDPOINT_URL="http://localhost:8080/"

AUDIENCE="project-id-random-value.apps.googleusercontent.com"
ID_TOKEN="$(gcloud auth print-identity-token "--audiences=${AUDIENCE}")"

curl -X GET  \
    "${ENDPOINT_URL}/api/experimental/pools" \
    -H 'Content-Type: application/json' \
    -H 'Cache-Control: no-cache' \
    -H "Authorization: Bearer ${ID_TOKEN}"