For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Overview
      • Create a Deployment
      • Execution mode
        • Overview
        • Shared responsibility model
        • Get started
          • Configure OpenLineage
          • Enable Sentinel monitoring
          • Install in restricted Kubernetes namespace
          • Set up custom timetable support
          • Configure AWS PrivateLink
          • Configure Azure Private Link
        • Deploy Remote Execution project
        • Deploy a dbt project
        • Helm chart reference
      • Worker queues
      • Environment variables
      • Secrets backend
    • Book Office Hours

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Prerequisites
  • Authorize the scheduler
  • Verify the configuration
  • See also
Manage DeploymentsRemote ExecutionAdvanced configuration

Set up custom timetable support for Remote Execution

Edit this page
Built with
Airflow 3

This feature is only available for Airflow 3.x Deployments.

When Dags use custom timetables that connect to external data sources, such as querying Snowflake for scheduling metadata, the scheduler must retrieve connection credentials from your secrets backend at schedule time.

When you configure Customer Managed Identity for a Remote Execution Deployment, the setup only authorizes the apiserver to access your cloud resources for reading task logs. To support custom timetables, the scheduler also needs authorization to access your secrets backend.

Without this configuration, the scheduler can’t retrieve connections from the secrets backend, causing errors like:

airflow.exceptions.AirflowNotFoundException: The conn_id `<connection-id>` isn't defined

Prerequisites

  • A Remote Execution Deployment with Customer Managed Identity configured.
  • A secrets backend configured for your Remote Execution Agent.

Authorize the scheduler

Extend your existing Customer Managed Identity configuration to include the scheduler service account. This is the same process used when you first configured workload identity for the apiserver.

AWS
GCP
Azure

No additional configuration is required. The default Customer Managed Identity setup for AWS uses a wildcard pattern in the IAM trust policy that authorizes all service accounts in the Deployment namespace, including the scheduler:

1"<clusterOIDCIssuerUrl>:sub": "system:serviceaccount:<deployment-namespace>:*"

If you specified individual service accounts instead of using a wildcard, add the scheduler service account to your IAM trust policy:

1"<clusterOIDCIssuerUrl>:sub": "system:serviceaccount:<deployment-namespace>:<deployment-namespace>-scheduler-serviceaccount"

Verify the configuration

After updating your workload identity configuration, verify that the scheduler can retrieve connections:

  1. Check the scheduler logs for authentication errors. Cloud-specific errors such as AADSTS700213: No matching federated identity record found (Azure) or AccessDenied (AWS/GCP) should no longer appear.
  2. Trigger a Dag that uses a custom timetable dependent on a connection from your secrets backend. The Dag should schedule without AirflowNotFoundException errors.

See also

  • Authorize an Astro Deployment to cloud resources using workload identity
  • Configure secrets backend for Remote Execution