Skip to content

Airflow secret backend for k8s role missing "audience" parameter setting which is required from vault 1.21+ #55460

New issue
New issue
Open
Open
Airflow secret backend for k8s role missing "audience" parameter setting which is required from vault 1.21+#55460
Labels
area:helm-chartAirflow Helm Chartarea:secretskind:bugThis is a clearly a bugkind:featureFeature Requestsneeds-triagelabel for new issues that we didn't triage yet
@JJtheNOOB

Description

@JJtheNOOB
JJtheNOOB
opened on Sep 10, 2025

Official Helm Chart version

1.18.0 (latest released)

Apache Airflow version

2.9

Kubernetes Version

v1.32

Helm Chart configuration


env:

  - name: "AIRFLOW__SECRETS__BACKEND_KWARGS"

        value: |

          {

          "auth_type":"kubernetes",

          "kubernetes_role": "airflow-dev",

          "connections_path": "airflow/connections",

          "variables_path": "airflow/variables",

          "auth_mount_point": "xxxxx",

          "mount_point": "stage",

          "url": "xxxxx",

          }

Docker Image customizations

No response

What happened

No response

What you think should happen instead

Dear airflow community:

Hello!

I would like to raise attention that starting from vault 1.21+, we will need to set audience for k8s role for secret backend. Warning messages looks like this A role without an audience was used to authenticate into Vault. Vault v1.21+ will require roles to have an audience.

Below is our current airflow secret backend settings used in the vaules.yaml file:


env:

  - name: "AIRFLOW__SECRETS__BACKEND_KWARGS"

        value: |

          {

          "auth_type":"kubernetes",

          "kubernetes_role": "airflow-dev",

          "connections_path": "airflow/connections",

          "variables_path": "airflow/variables",

          "auth_mount_point": "xxxxx",

          "mount_point": "stage",

          "url": "xxxxx",

          }

This works currently but we are seeing the above warning messages, adding "audience" parameter suppresses the warning however it also make airflow no longer able to connect to vault secret backend. Confirming we had done proper set up on both vault side and k8s side. Either I am missing something or this feature was not yet released by airflow.

I am looking forward to see if someone could add, test and release the audience parameter to ensure it will allow k8s roles to proper access vault secret backend. Thank you!

How to reproduce

  1. set up airflow helm chart
  2. set up vault
  3. connect airflow with vault secret backend with the env variables provided

Anything else

No response

Are you willing to submit PR?

  • Yes I am willing to submit a PR!

Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:helm-chartAirflow Helm Chartarea:secretskind:bugThis is a clearly a bugkind:featureFeature Requestsneeds-triagelabel for new issues that we didn't triage yet

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions