For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Astro Private Cloud overview
    • Astro Private Cloud features
      • Configure a secrets backend
        • Hashicorp Vault
        • AWS Secrets Manager
        • AWS Parameter Store
        • Google Cloud Secret Manager
        • Azure Key Vault
      • Configure Kerberos database authentication
      • Third-party ingress controllers
      • Network configuration
      • Bring your own service accounts
      • Configure security contexts
      • Read-only root filesystem
      • TLS certificate management

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Prerequisites
  • Step 1: Write an Airflow variable or connection to Google Cloud Secret Manager
  • Step 2: Set up Secret Manager locally
  • Step 3: Run an example Dag to test Secret Manager locally
  • Step 4: Deploy to Astro Private Cloud
Security and complianceConfigure a secrets backend

Configure Google Cloud Secret Manager as a secrets backend on Astro Private Cloud

Edit this page
Built with

In this section, you’ll learn how to use Google Cloud Secret Manager as a secrets backend on Astro Private Cloud.

Prerequisites

  • A Deployment.
  • The Astro CLI.
  • An Astro project initialized with astro dev init.
  • Cloud SDK.
  • A Google Cloud environment with Secret Manager configured.
  • A service account with the Secret Manager Secret Accessor role on Google Cloud.
  • A JSON service account key for the service account.

Step 1: Write an Airflow variable or connection to Google Cloud Secret Manager

To start, add an Airflow variable or connection as a secret to Google Cloud Secret Manager. You can do so in the Cloud Console or the gcloud CLI.

Secrets must be formatted such that:

  • Airflow variables are set as airflow-variables-<variable-key>.
  • Airflow connections are set as airflow-connections-<connection-id>.

For example, to add an Airflow variable with a key my-secret-variable, you would run the following gcloud CLI command:

1gcloud secrets create airflow-variables-<my-secret-variable> \
2    --replication-policy="automatic"

For more information on creating secrets in Google Cloud Secret Manager, see the Google Cloud documentation.

Step 2: Set up Secret Manager locally

To test Google Secret Manager locally, configure it as a secrets backend in your Astro project.

First, install the Airflow provider for Google by adding the following to your project’s requirements.txt file:

apache-airflow-providers-google

Then, add the following environment variables to your project’s Dockerfile:

1ENV AIRFLOW__SECRETS__BACKEND=airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend
2ENV AIRFLOW__SECRETS__BACKEND_KWARGS={"connections_prefix": "airflow-connections", "variables_prefix": "airflow-variables", "gcp_keyfile_dict": <your-key-file>}

Make sure to paste your entire JSON service account key in place of <your-key-file>. In the next step, you’ll test that this configuration is valid locally.

If you want to deploy your project to a hosted Git repository before deploying to Astronomer, be sure to save <your-key-file> securely. Astronomer recommends adding it to your project’s .env file and specifying this file in .gitignore. When you deploy to Astronomer, you should set these values as secrets in the Astro Private Cloud UI.

Step 3: Run an example Dag to test Secret Manager locally

To test Secret Manager, create a secret containing either an Airflow variable or connection for testing.

Once you create a test secret, write a simple Dag which calls the secret and add this Dag to your project’s dags directory. For example, you can use the following Dag to print the value of a variable to your task logs:

1from datetime import datetime
2
3from airflow import DAG
4from airflow.models import Variable
5from airflow.operators.python import PythonOperator
6
7def print_var():
8    my_var = Variable.get("<your-variable-key>")
9    print(f'My variable is: {my_var}')
10
11with DAG('example_secrets_dags', start_date=datetime(2022, 1, 1), schedule=None) as dag:
12
13  test_task = PythonOperator(
14
15      task_id='test-task',
16      python_callable=print_var,
17)

To test your changes:

  1. Run astro dev stop followed by astro dev start to push your changes to your local Airflow environment.

  2. In the Airflow UI (http://localhost:8080/admin/), trigger your new Dag.

  3. Click test-task > View Logs. If you ran the example Dag above, you should see the contents of your secret in the task logs:

    {logging_mixin.py:109} INFO - My variable is: my-test-variable

Once you confirm that the setup was successful, you can delete this Dag.

Step 4: Deploy to Astro Private Cloud

Once you’ve confirmed that the integration with Google Cloud Secret Manager works locally, you can complete a similar set up with a Deployment on Astro Private Cloud.

  1. In the Astro Private Cloud UI, add the same environment variables found in your Dockerfile to your Deployment environment variables. Specify both AIRFLOW__SECRETS__BACKEND and AIRFLOW__SECRETS__BACKEND_KWARGS as Secret to ensure that your credentials are stored securely.
  2. In your Astro project, delete the environment variables from your Dockerfile.
  3. Deploy your changes to Astro Private Cloud.

You now should be able to see your secret information being pulled from Secret Manager on Astronomer. From here, you can store any Airflow variables or connections as secrets on Secret Manager and use them in your project.