[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-03。"],[[["\u003cp\u003eThis page outlines the process of utilizing Google Cloud's Secret Manager to securely store Airflow connections and secrets for Cloud Composer environments.\u003c/p\u003e\n"],["\u003cp\u003eTo enable the use of Secret Manager, the Secret Manager API must be activated, and the service account used by Airflow must be granted the necessary permissions, such as the "Secret Manager Secret Accessor" role.\u003c/p\u003e\n"],["\u003cp\u003eThe Airflow configuration option for \u003ccode\u003esecrets backend\u003c/code\u003e must be overridden to \u003ccode\u003eairflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend\u003c/code\u003e, with optional settings like prefixes and separators configurable through the \u003ccode\u003ebackend_kwargs\u003c/code\u003e option.\u003c/p\u003e\n"],["\u003cp\u003eSecrets in Secret Manager, including variables and connection names, must adhere to a specific naming convention that incorporates prefixes and separators, with default values provided for convenience.\u003c/p\u003e\n"],["\u003cp\u003eWhen fetching variables or connections, Cloud Composer prioritizes Secret Manager, falling back to environment variables and the Airflow database if the secret is not found, and variables and connections from Secret Manager are not visible in the Airflow UI for security.\u003c/p\u003e\n"]]],[],null,["# Configure Secret Manager for your environment\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\n[Cloud Composer 3](/composer/docs/composer-3/configure-secret-manager \"View this page for Cloud Composer 3\") \\| **Cloud Composer 2** \\| [Cloud Composer 1](/composer/docs/composer-1/configure-secret-manager \"View this page for Cloud Composer 1\")\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nThis page shows how to use [Secret Manager](/secret-manager/docs)\nto securely store Airflow connections and secrets.\n\nConfigure Secret Manager for your environment\n---------------------------------------------\n\nThis section explains how to configure Secret Manager so that you\ncan use secrets with your Cloud Composer environment.\n\n### Enable the Secret Manager API\n\n### Console\n\n\nEnable the Secret Manager API:\n\n\n```bash\ngcloud services enable secretmanager.googleapis.com\n```\n\n\u003cbr /\u003e\n\n### gcloud\n\n\nEnable the Secret Manager API:\n\n\n```bash\ngcloud services enable secretmanager.googleapis.com\n```\n\n\u003cbr /\u003e\n\n### Configure access control\n\nYou must configure access control so that Airflow can access secrets stored in\nSecret Manager.\n\nTo do so, the service account that accesses secrets must have a role with\nthe `secretmanager.versions.access` permission. For example,\nthe **Secret Manager Secret Accessor** role includes this permission.\n\nYou can grant this role at the\n[Secret, Project, Folder, or Org level](/secret-manager/docs/access-control#least-privilege).\n\nUse one of the following options:\n\n- (Recommended) [Grant this role](/iam/docs/granting-changing-revoking-access#grant-single-role)\n to the [service account of your environment](/composer/docs/composer-2/access-control#service-account).\n\n- Override the service account under which Airflow accesses\n Secret Manager.\n\n | **Caution:** This method is less advisable, because it requires storing service account credentials in a file, which increases the risk that they might be compromised.\n 1. [Grant this role](/iam/docs/granting-changing-revoking-access#grant-single-role) to a service account.\n 2. Set the `gcp_key_path` parameter of the [`backend_kwargs` Airflow configuration option](#configure-backend) to point to a JSON file with the service account credentials.\n\n### Enable and configure the Secret Manager backend\n\n1. [Override](/composer/docs/composer-2/override-airflow-configurations) the following Airflow configuration option:\n\n | **Caution:** Do not use `airflow.contrib.secrets.gcp_secrets_manager.CloudSecretsManagerBackend` because this value does not allow you to view logs in the Airflow UI.\n2. *(Cloud Composer 2.11.3 with Airflow 2.10.2 and later versions)*\n Make sure that the `[secrets]backends_order` Airflow configuration option\n specifies a secrets search order that has a `custom` secrets backend in\n it. The default value of this option already contains this value.\n\n3. Add optional settings by [overriding](/composer/docs/composer-2/override-airflow-configurations) the following Airflow\n configuration option:\n\n The `backend_kwargs` value is the JSON representation of the\n [`backend_kwargs` object](https://airflow.apache.org/docs/apache-airflow-providers-google/stable/secrets-backends/google-cloud-secret-manager-backend.html#backend-parameters)\n with the following fields:\n - `connections_prefix`: prefix of the secret name to read in order to get Connections. The default is `airflow-connections`.\n - `variables_prefix`: prefix of the secret name to read in order to get Variables. The default is: `airflow-variables`.\n - `gcp_key_path`: path to the Google Cloud Credential JSON file (if not provided, the default service account is used).\n - `gcp_keyfile_dict`: Google Cloud Credential JSON dictionary. Mutually exclusive with `gcp_key_path`.\n - `sep`: separator used to concatenate `connections_prefix` and `conn_id`. The default is `-`.\n - `project_id`: Google Cloud Project Id where secrets are stored.\n\n For example, the value of `backend_kwargs` can be:\n `{\"project_id\": \"\u003cproject id\u003e\", \"connections_prefix\":\"example-connections\", \"variables_prefix\":\"example-variables\", \"sep\":\"-\"}`.\n | **Note:** The `Keyfile Secret Name (in GCP Secret Manager)` option in Airflow connection is supported only when Secret Manager and Cloud Composer are in the same Google Cloud project.\n\n### Add connections and variables in Secret Manager\n\nCreate secrets by following steps outlined in\n[Creating secrets and versions](/secret-manager/docs/creating-and-accessing-secrets).\n\n#### Variables\n\n- Must use the `[variables_prefix][sep][variable_name]` format.\n- The default value for `[variables_prefix]` is `airflow-variables`.\n- The default separator `[sep]` is `-`.\n\nFor example, if the variable name is `example-var`, then the secret name\nis `airflow-variables-example-var`.\n| **Note:** If you want to use different values for `[variables_prefix]`, `[connection_prefix]` or `[sep]`, use the optional settings as described further in the [Enable and configure Secret Manager backend](#configure-backend) section.\n\n#### Connection names\n\n- Must use the `[connection_prefix][sep][connection_name]` format.\n- The default value for `[connection_prefix]` is `airflow-connections`.\n- The default separator `[sep]` is `-`.\n\nFor example, if the connection name is `exampleConnection`, then the secret\nname is `airflow-connections-exampleConnection`.\n\n#### Connection values\n\n- Must use\n [URI representation](https://airflow.apache.org/docs/apache-airflow/stable/howto/connection.html#generating-connection-uri). For example,\n `postgresql://login:secret@examplehost:9000`.\n\n- The URI must be [URL-encoded](https://www.w3schools.com/tags/ref_urlencode.ASP)\n (percent encoded). For example, a password that has a space symbol\n in it must be URL-encoded as follows:\n `postgresql://login:secret%20password@examplehost:9000`.\n\nAirflow has a\n[convenience method](https://airflow.apache.org/docs/apache-airflow/stable/howto/connection.html#generating-connection-uri) for generating connection\nURIs. An example of how to encode a complex URL with JSON extras is available\nin the [Airflow documentation](https://airflow.apache.org/docs/apache-airflow-providers-mysql/stable/connections/mysql.html).\n\nUse Secret Manager with Cloud Composer\n--------------------------------------\n\nWhen fetching variables and connections, Cloud Composer checks\nSecret Manager first. If the requested variable or connection is not\nfound, Cloud Composer then checks the environment variables and\nthe Airflow database.\n| **Note:** For security reasons, variables and connections from Secret Manager are not visible in the Airflow UI.\n\n### Read variables using Jinja templating\n\nYou can use Secret Manager to read variables with\n[Jinja templating](https://airflow.apache.org/docs/apache-airflow/stable/tutorial.html#templating-with-jinja) for templated operator fields\n(resolved at the execution time).\n\nFor the `airflow-variables-secret_filename` secret: \n\n file_name = '{{var.value.secret_filename}}'\n\n### Read variables using custom operators and callbacks\n\nYou can also use Secret Manager to read variables in custom\noperators or callback methods from operators. Reading variables from\ninside DAGs can negatively impact performance, so use Jinja templates\nif you want to use variables in your DAGs.\n\nFor example, for the `airflow-variables-secret_filename` secret: \n\n from airflow.models.variable import Variable\n file_name = Variable.get('secret_filename')\n\n### Read connections\n\nUnless you are writing a custom operator, you should rarely need to\naccess connections directly. Most hooks get the connection name as their\ninstantiation parameter, and should retrieve connections from the secret\nbackend automatically when tasks are executed.\n\nReading connections directly may be useful when writing your own hook.\n\nFor example, for the `airflow-connections-exampleConnection` connection: \n\n from airflow.hooks.base_hook import BaseHook\n exampleConnection = BaseHook.get_connection('exampleConnection')\n\n`BaseHook.get_connection` returns a `Connection` object. It is\npossible to get the URI string representation of a connection like this: \n\n exampleConnectionUri = BaseHook.get_connection('exampleConnection').get_uri()\n\nWhat's next\n-----------\n\n- [Override Airflow configuration options](/composer/docs/composer-2/override-airflow-configurations)\n- [Access the Airflow REST API](/composer/docs/composer-2/access-airflow-api)"]]