Set up custom timetable support for Remote Execution
Airflow 3
This feature is only available for Airflow 3.x Deployments.When Dags use custom timetables that connect to external data sources, such as querying Snowflake for scheduling metadata, the scheduler must retrieve connection credentials from your secrets backend at schedule time.
When you configure Customer Managed Identity for a Remote Execution Deployment, the setup only authorizes the apiserver to access your cloud resources for reading task logs. To support custom timetables, the scheduler also needs authorization to access your secrets backend.
Without this configuration, the scheduler can’t retrieve connections from the secrets backend, causing errors like:
Prerequisites
- A Remote Execution Deployment with Customer Managed Identity configured.
- A secrets backend configured for your Remote Execution Agent.
Authorize the scheduler
Extend your existing Customer Managed Identity configuration to include the scheduler service account. This is the same process used when you first configured workload identity for the apiserver.
AWS
GCP
Azure
No additional configuration is required. The default Customer Managed Identity setup for AWS uses a wildcard pattern in the IAM trust policy that authorizes all service accounts in the Deployment namespace, including the scheduler:
If you specified individual service accounts instead of using a wildcard, add the scheduler service account to your IAM trust policy:
Verify the configuration
After updating your workload identity configuration, verify that the scheduler can retrieve connections:
- Check the scheduler logs for authentication errors. Cloud-specific errors such as
AADSTS700213: No matching federated identity record found(Azure) orAccessDenied(AWS/GCP) should no longer appear. - Trigger a Dag that uses a custom timetable dependent on a connection from your secrets backend. The Dag should schedule without
AirflowNotFoundExceptionerrors.
