Configure Airflow to use the Keycloak auth manager¶

To use the Keycloak auth manager in your Airflow environment, you must configure it in your Airflow configuration.

Note

These configuration options must be set on the hosts/environments running the Airflow API server.

[core]
auth_manager = airflow.providers.keycloak.auth_manager.keycloak_auth_manager.KeycloakAuthManager

or

export AIRFLOW__CORE__AUTH_MANAGER='airflow.providers.keycloak.auth_manager.keycloak_auth_manager.KeycloakAuthManager'

Additionally, you’ll need to provide some Keycloak-specific configuration options.

Config Options¶

There are a number of configuration options available, which can either be set directly in the airflow.cfg file under an keycloak_auth_manager section or via environment variables using the AIRFLOW__KEYCLOAK_AUTH_MANAGER__<OPTION_NAME> format, for example AIRFLOW__KEYCLOAK_AUTH_MANAGER__REALM = "Airflow". For more information on how to set these options, see https://airflow.apache.org/docs/apache-airflow/stable/howto/set-config.html.

Required config options:¶

client_id. Client ID configured in Keycloak to integrate with Airflow. This client must follow the standard OpenID Connect authentication flow.
client_secret. Secret associated to the client configured in Keycloak to integrate with Airflow.
realm. Realm configured in Keycloak associated to Airflow. This realm define all users, roles, groups and permissions used by Airflow.

Optional config options:¶

server_url. Keycloak server URL. This server URL is used by the Airflow API server to communicate with Keycloak. If the Airflow API server and Keycloak are running in Docker, set “http://host.docker.internal:<PORT>” (default value). You do not need to set this configuration option if you are running Keycloak with Breeze.