Configure secrets backend | Astronomer Docs

Remote Execution Agents require a secrets backend to securely access Airflow connections and variables. A secrets backend stores sensitive information like passwords, API keys, and database credentials outside of your Deployment and agent configuration files.

secretBackend is the Airflow secrets backend class to use for the Agent. Each supported integration includes the Remote Execution Agent-specific implementation steps:

AWS Secrets Manager
AWS Systems Manager (SSM) Parameter Store
Azure Key Vault
Google Cloud Secret Manager
HashiCorp Vault

It is not recommended for production use cases, but you can also use Airflow’s local filesystem backend as a simpler alternative to an external secrets provider by setting:

1 secretBackend: "airflow.secrets.local_filesystem.LocalFilesystemBackend"

and setting the following environment variable in the Remote Execution Agent’s Helm chart:

1 AIRFLOW__SECRETS__BACKEND_KWARGS: '{"variables_file_path": "/files/var.json", "connections_file_path": "/files/conn.json"}'

The rest of the configuration should be passed as environment variables to the Agent components.