Airflow Summit 2025 is coming October 07-09. Register now for early bird ticket!

Google OpenID authentication

Note

This authentication mechanism only works for Airflow 2.x

You can also configure Google OpenID for authentication. To enable it, set the following option in the configuration:

[api]
auth_backends = airflow.providers.google.common.auth_backend.google_openid

It is also highly recommended to configure an OAuth2 audience so that the generated tokens are restricted to use by Airflow only.

[api]
google_oauth2_audience = project-id-random-value.apps.googleusercontent.com

You can also configure the CLI to send request to a remote API instead of making a query to a local database.

[cli]
api_client = airflow.api.client.json_client
endpoint_url = http://remote-host.example.org/

You can also set up a service account key. If omitted, authorization based on the Application Default Credentials will be used.

[cli]
google_key_path = <KEY_PATH>

You can get the authorization token with the gcloud auth print-identity-token command. An example request look like the following.

ENDPOINT_URL="http://localhost:8080/"

AUDIENCE="project-id-random-value.apps.googleusercontent.com"
ID_TOKEN="$(gcloud auth print-identity-token "--audiences=${AUDIENCE}")"

curl -X GET  \
    "${ENDPOINT_URL}/api/experimental/pools" \
    -H 'Content-Type: application/json' \
    -H 'Cache-Control: no-cache' \
    -H "Authorization: Bearer ${ID_TOKEN}"

Was this entry helpful?