Configuration for SimpleAuthManager credentials and RBAC in Airflow 3.1.5 #59514

jun-roh · 2025-12-16T15:37:36Z

jun-roh
Dec 16, 2025

Hello Airflow team and community,

I am currently testing the experimental Airflow 3.1.5 architecture using docker-compose with the new API Server (airflow-apiserver) instead of the traditional Flask-based webserver.

I am trying to configure the SimpleAuthManager to use a static username and password via environment variables, but the system seems to ignore my settings and generates a random password at startup.

Here is my sanitized docker-compose.yml and .env configuration:

Environment & Config:

# .env (Sanitized)
AIRFLOW_IMAGE_NAME=local-airflow:3.1.5
AIRFLOW_UID=50000
AIRFLOW__API__BASE_URL=https://airflow.example.com
AIRFLOW__WEBSERVER__BASE_URL=https://airflow.example.com

# Auth Secrets
SECRET_KEY=REDACTED_SECRET_KEY
AIRFLOW__API_AUTH__JWT_SECRET=${SECRET_KEY}

# Database
AIRFLOW_DB_HOST=db.example.com
AIRFLOW_DB_USER=airflow_user
AIRFLOW_DB_PASSWORD=airflow_pass
AIRFLOW__DATABASE__SQL_ALCHEMY_CONN=mysql+mysqldb://${AIRFLOW_DB_USER}:${AIRFLOW_DB_PASSWORD}@${AIRFLOW_DB_HOST}/airflow_db

# ... other configurations ...

# docker-compose.yml (Sanitized)
x-airflow-common: &airflow-common
  image: ${AIRFLOW_IMAGE_NAME}
  environment:
    # ---- Auth Config ----
    AIRFLOW__API_AUTH__JWT_SECRET: ${SECRET_KEY}
    
    # I am trying to set static credentials here:
    AIRFLOW__SIMPLE_AUTH_MANAGER__USERNAME: "airflow"
    AIRFLOW__SIMPLE_AUTH_MANAGER__PASSWORD: "airflow"
    AIRFLOW__SIMPLE_AUTH_MANAGER__DEFAULT_ROLE: "Admin"

    # Core Settings
    AIRFLOW__CORE__EXECUTOR: CeleryExecutor
    AIRFLOW__CORE__SQL_ALCHEMY_CONN: ${AIRFLOW__DATABASE__SQL_ALCHEMY_CONN}
    AIRFLOW__CORE__EXECUTION_API_SERVER_URL: http://execution-api:8080/execution/
    
    # ... other env vars ...

services:
  airflow-apiserver:
    <<: *airflow-common
    command: >
      bash -c "
      echo 'Starting Airflow API Server...' &&
      exec airflow api-server --host 0.0.0.0 --port 8080 --workers 1 --apps all
      "
    ports: ["8080:8080"]
    # ...

Despite having AIRFLOW__SIMPLE_AUTH_MANAGER__USERNAME and PASSWORD set in the environment, the container logs indicate that a random password is being generated for the user, and I cannot log in with airflow/airflow.

I have three questions regarding the authentication in the new Airflow 3.x architecture:

How can I enforce a specific username and password? It seems the environment variables AIRFLOW__SIMPLE_AUTH_MANAGER__* are not being picked up or enforced. Is there a different configuration key required to enable static credentials for the airflow-apiserver?
How can I verify credentials without relying on startup logs? Is there a CLI command available in the new architecture to check or reset the admin password? (Similar to airflow users create/reset-password in 2.x).
How is RBAC (User Permissions) handled in Airflow 3.1.5? In Airflow 2.x, we managed roles and permissions via webserver_config.py. Since the new API Server replaces the Flask AppBuilder webserver, how should we configure granular user permissions or map roles in this new version?

Any guidance or references to the documentation for the 3.x auth system would be greatly appreciated.

Thank you!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Configuration for SimpleAuthManager credentials and RBAC in Airflow 3.1.5 #59514

Uh oh!

{{title}}

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

Configuration for SimpleAuthManager credentials and RBAC in Airflow 3.1.5 #59514

Uh oh!

jun-roh Dec 16, 2025

Replies: 0 comments

jun-roh
Dec 16, 2025