Apache Airflow
Apache Software FoundationCI/CD4 credentials
Fernet Key
apache-airflow / fernet-key
Airflow encrypts sensitive connection and variable values at rest with a fernet key. Airflow security documentation covers encryption at rest and secrets backends for workload secrets.
Looks like
pattern[A-Za-z0-9_\-]{43}=Location
airflow.cfgAirflow core fernet_key setting
AIRFLOW__CORE__FERNET_KEYKubernetes Secrets, Helm secrets, cloud secret managers, and Airflow secrets backends
committed airflow.cfg, Helm values, Docker Compose files, and test configs
startup logs and support bundles
Notes
A leaked fernet key plus Airflow metadata database access can decrypt stored connection passwords and variable values.
Webserver Secret Key
apache-airflow / webserver-secret-key
Airflow webserver uses a secret key for signing web sessions and CSRF state. Deployments commonly set this through airflow.cfg or environment variables.
Location
airflow.cfg, webserver_config.pyAirflow webserver secret_key and web UI security configuration
AIRFLOW__WEBSERVER__SECRET_KEYKubernetes Secrets, Helm secrets, and cloud secret managers
committed configs and deployment manifests
Notes
Webserver secret-key rotation invalidates sessions and protects signed UI state.
Connection / Variable Secret
apache-airflow / connection-secret
Airflow stores credentials for external systems as Connections and Variables in the metastore, environment variables, or configured secrets backends. Airflow documents the secrets search path and external secrets backends.
Location
Airflow metadata database storing encrypted connection and variable values
AIRFLOW_CONN_*, AIRFLOW_VAR_*HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, Kubernetes Secrets, and custom backends
DAG configs, local secrets files, airflow.cfg, and Helm values
DAG repositories, tests, and committed connection URIs
task logs, connection debugging, and scheduler/webserver output
Notes
Airflow connection secrets may be cloud keys, database passwords, SSH keys, API tokens, and other downstream credentials used by DAGs.
Web UI User Password
apache-airflow / admin-user-password
Airflow web UI users authenticate through the configured auth manager or webserver auth backend. Local user credentials are deployment-specific and often provisioned by CLI, Helm chart, or secrets backend.
Location
Airflow metadata database user tables for local auth configurations
Airflow webserver UI and APIAIRFLOW_WWW_USER_USERNAME, AIRFLOW_WWW_USER_PASSWORDHelm secrets, Kubernetes Secrets, password vaults, and identity-provider secrets
Docker Compose files, Helm values, and local dev configs
setup output and authentication traces
Notes
There is no universal Airflow administrator password; it is created during deployment or managed by the configured identity provider.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.