Skip to content

Airflow webserver authentication with Google SSO and Helm

Published: at 12:00 AM

I’ve been grappling around to get the Google SSO working on Airflow. There is limited documentation online or a successful case. This post shares how this can be achieved. And this post assumes that you’ve already setup airflow in a chosen environment using official helm chart from Airflow documentation.

Airflow PiPy with google_auth extra

Whichever way you are using to build the airflow custom image, make sure to include below package.

pip3 install apache-airflow[google_auth]

Create OAuth 2.0 credentials on Google cloud console

Head over to your Google cloud console and create OAuth 2.0 credentials by providing the required details. Most notable of them being redirect_uri.

Download the credentials json file that includes information like client_id, client_secret etc.

Changes to your values.yaml

config:
    webserver:
        authenticate: True
        auth_backend: airflow.contrib.auth.backends.google_auth
    google:
        client_id: ''
        client_secret: ''
        oauth_callback_route: '' #where to redirect after a successful login
        domain: company.com
        prompt: <One of : consent, select_account, none or ''>
webserver:
    webserverConfig: |-
        from flask_appbuilder.security.manager import AUTH_OAUTH
        AUTH_TYPE = AUTH_OAUTH
        AUTH_USER_REGISTRATION = True
        AUTH_USER_REGISTRATION_ROLE = 'Viewer' # first user may be Admin
        OAUTH_PROVIDERS = [{
            'name':'google',
            'token_key':'access_token',
            'icon':'fa-google',
            'remote_app': {
               'api_base_url':'https://www.googleapis.com/oauth2/v2/',
               'client_kwargs':{
                 'scope': 'email profile'
               },
               'access_token_url':'https://accounts.google.com/o/oauth2/token',
               'authorize_url':'https://accounts.google.com/o/oauth2/auth',
               'request_token_url': None,
               'client_id': <replace with google client id>,
               'client_secret': <replace with google secret>,
         }
        }]

Helm upgrade or install

Apply the changes and do a logout if required and try to test the login flow with google!