Configure the CLIAuthenticate to cloud services

Authenticate Astro to Azure

Prerequisites

Retrieve Azure user credentials locally

Run the following command to obtain your user credentials locally:

1az login

The CLI provides you with a link to a webpage where you authenticate to your Azure account. Once you complete the login, the CLI stores your user credentials in your local Azure configuration folder. The developer account credentials are used in place of the credentials associated with the Registered Application (Service Principal) in Microsoft Entra ID.

The default location of the Azure configuration folder depends on your operating system:

  • Linux: $HOME/.azure/
  • Mac: /Users/<username>/.azure
  • Windows: %USERPROFILE%/.azure/

Configure your Astro project

For Airflow 3, use the provided docker-compose.override.yml. For Airflow 2, replace api-server with webserver and remove the dag-processor block.

The Astro CLI runs Airflow in a Docker-based environment. To give Airflow access to your credential files, mount the .azure folder as a volume in Docker.

  1. In your Astro project, create a file named docker-compose.override.yml with the following configuration:
1version: "3.1"
2services:
3  scheduler:
4    volumes:
5      - /Users/<username>/.azure:/usr/local/airflow/.azure:rw
6  api-server:
7    volumes:
8      - /Users/<username>/.azure:/usr/local/airflow/.azure:rw
9  triggerer:
10    volumes:
11      - /Users/<username>/.azure:/usr/local/airflow/.azure:rw
12  dag-processor:
13    volumes:
14      - /Users/<username>/.azure:/usr/local/airflow/.azure:rw
  1. Add the following lines after the FROM line in your Dockerfile to install the Azure CLI inside your Astro Runtime image:
1# FROM ...
2USER root
3RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash
4USER ASTRO

If you’re using an Apple M1 Mac, you must use thelinux/amd64 distribution of Astro Runtime. Replace the first line in the Dockerfile of your Astro project with:

FROM --platform=linux/amd64 quay.io/astronomer/astro-runtime:<version>
  1. Add the following environment variable to your .env file. Make sure the file path is the same volume location you configured in docker-compose.override.yml:
AZURE_CONFIG_DIR=/usr/local/airflow/.azure

When you run Airflow locally, all Azure connections without defined credentials automatically fall back to your user credentials when connecting to Azure. Airflow applies and overrides user credentials for Azure connections in the following order:

  • Mounted user credentials in /~/.azure.
  • Configurations in azure_client_id, azure_tenant_id, and azure_client_secret.
  • An explicit username & password provided in the connection.

For example, if you completed the configuration in this document and then created a new Azure connection with its own username and password, Airflow would use those credentials instead of the credentials in ~/.azure/config.

Test your credentials with a secrets backend

Now that Airflow has access to your user credentials, you can use them to connect to your cloud services. Use the following example setup to test your credentials by pulling values from different secrets backends.

  1. Create a secret for an Airflow variable or connection in Azure Key Vault. All Airflow variables and connection keys must be prefixed with the following strings respectively:

    • airflow-variables-<my_variable_name>
    • airflow-connections-<my_connection_name>

    For example, to use a secret named mysecretvar in your dag, you must name the secret airflow-variables-mysecretvar.

    You will need to store your connection in URI format.

  2. In your Astro project, add the following line to Astro project requirements.txt file:

    apache-airflow-providers-microsoft-azure

  3. Add the following environment variables to your Astro project .env file. For additional configuration options, see the Apache Airflow documentation. Make sure to specify your vault_url.

    AIRFLOW__SECRETS__BACKEND=airflow.providers.microsoft.azure.secrets.key_vault.AzureKeyVaultBackend
    AIRFLOW__SECRETS__BACKEND_KWARGS={"connections_prefix": "airflow-connections", "variables_prefix": "airflow-variables", "vault_url": "<your-vault-url>"}

    By default, this setup requires that you prefix any secret names in Key Vault with airflow-connections or airflow-variables. If you don’t want to use prefixes in your Key Vault secret names, set the values for "connections_prefix" and "variables_prefix" to "" within AIRFLOW__SECRETS__BACKEND_KWARGS. The vault_url can be found on the overview page of your Key vault under Vault URI.

  4. Run the following command to start Airflow locally:

    1astro dev start

  5. Access the Airflow UI at localhost:8080 and create an Airflow Azure connection named azure_standard with no credentials. See Connections.

    When you use this connection in your dag, it will fall back to using your configured user credentials.

  6. Add a dag which uses the secrets backend to your Astro project dags directory. You can use the following example dag to retrieve a value from airflow/variables and print it to the terminal:

    1from airflow.models.dag import DAG
    2from airflow.hooks.base import BaseHook
    3from airflow.models import Variable
    4from airflow.decorators import task
    5from datetime import datetime
    6
    7with DAG(
    8    'example_secrets_dag',
    9    start_date=datetime(2022, 1, 1),
    10    schedule=None
    11):
    12
    13    @task
    14    def print_var():
    15        my_var = Variable.get("mysecretvar")
    16        print(f"My secret variable is: {my_var}")
    17
    18        conn = BaseHook.get_connection(conn_id="mysecretconnection")
    19        print(f"My secret connection is: {conn.get_uri()}")
    20
    21    print_var()

  7. In the Airflow UI, unpause your dag and click Play to trigger a dag run.

  8. View logs for your dag run. If the connection was successful, your masked secrets appear in your logs. See Airflow logging.

Secrets in logs