Apache Airflow before 2.7.1
Go to the Rendered Template
page and in address line replace encoded symbols of execution_date
parameter with decoded symbols. Page is still shown, but with credentials unmasked.
Sibling pages in contrast have different behavior: K8s Pod Specs
shows oops page and Log
shows empty log whenexecution_date
parameter is malformed
not masked - http://airflow.dev.local/rendered-templates?dag_id=tutorial_taskflow_api&task_id=extract&execution_date=2023-08-17T16%3A15%3A08.189107+00%3A00
masked - http://airflow.dev.local/rendered-templates?dag_id=tutorial_taskflow_api&task_id=extract&execution_date=2023-08-17T16%3A15%3A08.189107%2B00%3A00
{F2774937}
{F2774939}
Example dag code:
import json
import pendulum
from airflow.decorators import dag, task
from airflow.models import Variable
@dag(
schedule=None,
start_date=pendulum.datetime(2023, 8, 17, tz="UTC"),
catchup=False,
tags=["example"],
)
def tutorial_taskflow_api():
@task()
def extract(pwd):
return pwd
order_data = extract(pwd = Variable.get('secret_var'))
print(order_data)
tutorial_taskflow_api()
In airflow UI variable with name secret_var
should be added before trying
Any user who can see a dag can get access to secret credentials used by this dag