Skip to content

Hiding sensitive environment variables #70008

Description

@Venture200

Under which category would you file this issue?

Helm chart

Apache Airflow version

Any airflow version

What happened and how to reproduce it?

Hello, I dont know if it has been asked or what but couldn't find what I wanted.

in Airflow since sensitive credentials are stored via environment variables (meaning they are pulled securely during build but while it's already running), end users can have bashoperator and run printenv command and get all sensitive credentials regarding database, logging backends, secret backends etc which shouldnt be available for end users but admins only. Even if printenv is limited there are still other ways to get those credentials from environment.

I want to know what can I do in this scenario ?

What you think should happen instead?

Any command could potentially get sensitive credentials should be hidden or shouldnt have privilege to run specific list of commands

Operating System

Linux

Deployment

Official Apache Airflow Helm Chart

Apache Airflow Provider(s)

No response

Versions of Apache Airflow Providers

No response

Official Helm Chart version

1.21.0

Kubernetes Version

1.34.3

Helm Chart configuration

No response

Docker Image customizations

No response

Anything else?

No response

Are you willing to submit PR?

  • Yes I am willing to submit a PR!

Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:helm-chartAirflow Helm Chartkind:bugThis is a clearly a bugneeds-triagelabel for new issues that we didn't triage yet

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions