For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
      • AstroFully-managed data operations, powered by Apache Airflow.
      • Astro Private CloudRun Airflow-as-a-service in your environment.
      • Professional ServicesExpert Airflow services for your enterprise's success.
    • Tools
      • Cosmos
      • Orbiter
      • CLI
      • AI SDK
      • Agents
      • Blueprint
      • UpdatesThe State of Airflow 2026See the insights from over 5,800 data practitioners in the full report. Download Now ➔
  • Customers
  • Docs
    • Insights
      • Blog
      • Webinars
      • Resource Library
      • Events
    • Education
      • Academy
      • What is Airflow?
  • Pricing
Get Started Free
    • Overview
      • Create a Deployment
      • Execution mode
      • Worker queues
      • Environment variables
      • Secrets backend
        • AWS Secrets Manager
        • AWS Systems Manager (SSM) Parameter Store
        • Azure Key Vault
        • HashiCorp Vault
        • Google Cloud Secret Manager
    • Book Office Hours

Product

  • Platform Overview
  • Astro
  • Astro Observe
  • Astro Private Cloud
  • Security & Trust
  • Pricing

Tools & Services

  • Cosmos
  • Docs
  • Professional Services
  • Product Updates

Use Cases

  • AI Ops
  • Data Observability
  • ETL/ELT
  • ML Ops
  • Operational Analytics
  • All Use Cases

Industries

  • Financial Services
  • Gaming
  • Retail
  • Manufacturing
  • Healthcare
  • All Industries

Resources

  • Academy
  • eBooks & Guides
  • Blog
  • Webinars
  • Events
  • The Data Flowcast Podcast
  • All Resources

Airflow

  • What is Airflow
  • Airflow on Astro
  • Airflow 3.0
  • Airflow Upgrades
  • Airflow Use Cases
  • Airflow 2.x End of Life

Company

  • Our Story
  • Customers
  • Newsroom
  • Careers
  • Contact

Support

  • Knowledge Base
  • Status
  • Contact Support
GitHubYouTubeLinkedInx
  • Legal
  • Privacy
  • Terms of Service
  • Consent Preferences

  • Do Not Sell or Share My Personal information
  • Limit the Use Of My Sensitive Personal Information

Apache Airflow®, Airflow, and the Airflow logo are trademarks of the Apache Software Foundation. Copyright © Astronomer 2026. All rights reserved.

LogoLogo
On this page
  • Prerequisites
  • Step 1: Create an Airflow variable or connection in Google Cloud Secret Manager
  • Step 2: Set up GCP Secret Manager locally
  • Step 3: (Astro Only) Configure Secret Manager on Astro using Workload Identity (Recommended)
  • Step 4: Configure Secret Manager on Astro using a service account JSON key file
Manage DeploymentsSecrets backend

Set up Google Cloud Secret Manager as your secrets backend

Edit this page
Built with

This topic provides setup steps for configuring Google Cloud Secret Manager as a secrets backend on Astro.

If you use a different secrets backend tool or want to learn the general approach on how to integrate one, see Configure a Secrets Backend.

Prerequisites

  • A Deployment.
  • The Astro CLI.
  • An Astro project.
  • Cloud SDK.
  • A Google Cloud environment with Secret Manager configured.
  • A service account with the Secret Manager Secret Accessor role on Google Cloud.
  • (Optional) A JSON service account key for the service account. This is required to provide access to a secrets backend from a local machine, or when you’re not using Workload Identity.
  • (Remote Execution Only) Helm installed
  • (Remote Execution Only) The values.yaml file from the Register Agents modal in your Deployments>Agents page.

Step 1: Create an Airflow variable or connection in Google Cloud Secret Manager

To start, create an Airflow variable or connection in Google Cloud Secret Manager that you want to store as a secret. You can use the Cloud Console or the gcloud CLI.

Secrets must be formatted such that:

  • Airflow variables are set as airflow-variables-<variable-key>.
  • Airflow connections are set as airflow-connections-<connection-id>.

For example, to add an Airflow variable with a key my-secret-variable, you run the following gcloud CLI command:

1gcloud secrets create airflow-variables-<my-secret-variable> \
2    --replication-policy="automatic"

For more information on creating secrets in Google Cloud Secret Manager, read the Google Cloud documentation.

Step 2: Set up GCP Secret Manager locally

Astro
Remote Execution

  1. Copy the complete JSON service account key for the service account that you want to use to access Secret Manager.

  2. Add the following environment variables to your Astro project’s .env file, replacing <your-service-account-key> with the key you copied in Step 1:

    AIRFLOW__SECRETS__BACKEND=airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend
    AIRFLOW__SECRETS__BACKEND_KWARGS={"connections_prefix": "airflow-connections", "variables_prefix": "airflow-variables", "gcp_keyfile_dict": "<your-service-account-key>"}

  3. (Optional) Run Variable.get("<your-variable-key>") to run a dag locally and confirm that your variables are accessible.

Step 3: (Astro Only) Configure Secret Manager on Astro using Workload Identity (Recommended)

  1. Set up Workload Identity for your Airflow Deployment. See Connect Astro to GCP data sources.

  2. Run the following commands to set the secrets backend for your Astro Deployment:

    $ astro deployment variable create --deployment-id <your-deployment-id> AIRFLOW__SECRETS__BACKEND=airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend
    $ astro deployment variable create --deployment-id <your-deployment-id> AIRFLOW__SECRETS__BACKEND_KWARGS={"connections_prefix": "airflow-connections", "variables_prefix": "airflow-variables", "project_id": "<your-secret-manager-project-id>"}

  3. (Optional) Remove the environment variables from your .env file or store your .env file in a safe location to protect your credentials in AIRFLOW__SECRETS__BACKEND_KWARGS.

To ensure the security of secrets, the .env variable is only available in your local environment and not in the Astro UI . See Set Environment Variables Locally.

Step 4: Configure Secret Manager on Astro using a service account JSON key file

Astro
Remote Execution

  1. Set up the Secret Manager locally. See Set up GCP Secret Manager locally.

  2. Run the following command to set the SECRET_VAR_SERVICE_ACCOUNT environment variable on your Astro Deployment:

    1astro deployment variable create --deployment-id <your-deployment-id> SECRET_VAR_SERVICE_ACCOUNT="<your-service-account-key>" --secret

  3. (Optional) Remove the environment variables from your .env file or store your .env file in a safe location to protect your credentials in AIRFLOW__SECRETS__BACKEND_KWARGS.