ShubhamGondane opened a new pull request, #63312: URL: https://github.com/apache/airflow/pull/63312
## Summary - Adds support for `AIRFLOW__SECRETS__BACKEND_KWARG__<KEY>` environment variables as an alternative to the single `AIRFLOW__SECRETS__BACKEND_KWARGS` JSON blob - Per-key variables override the same key in the JSON blob, making it possible to store sensitive and non-sensitive kwargs separately - Workers section is also supported via `AIRFLOW__WORKERS__SECRETS_BACKEND_KWARG__<KEY>` ## Motivation Administrators (e.g. K8s deployments) currently cannot split sensitive kwargs (e.g. `role_id`, `secret_id` for Vault) from non-sensitive ones (e.g. `url`, `mount_point`) because all kwargs must be encoded in a single JSON blob. This forces them to either expose sensitive values in a public config or hide all values in a secret. closes: #62406 ## Test plan - [ ] `uv run --project airflow-core pytest airflow-core/tests/unit/always/test_secrets.py::TestSecretBackendKwargEnvVars -xvs` - [ ] `uv run --project airflow-core pytest airflow-core/tests/unit/core/test_configuration.py -xvs -k "kwarg"` --- ##### Was generative AI tooling used to co-author this PR? - [X] Yes — Claude Sonnet 4.6 (Claude Code) Generated-by: Claude Sonnet 4.6 (Claude Code) following [the guidelines](https://github.com/apache/airflow/blob/main/contributing-docs/05_pull_requests.rst#gen-ai-assisted-contributions) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
