Set up an Airflow connector

Capabilities
Gather Airflow credentials
Configure the Airflow connector

Capabilities

The Airflow connector syncs the following resources:

Resource	Sync	Provision
Accounts		Create, Delete
Roles		Grant, Revoke

Gather Airflow credentials

To configure the Airflow connector, you need Admin role access in your Airflow instance. The connector requires permissions to read users, roles, and to update user role assignments for provisioning.

The connector uses username/password credentials to authenticate with Airflow’s /auth/token endpoint, which returns a JWT token used for all API requests.

Ensure you have an Airflow user with the Admin role.

Note down the username, password, and the base URL of your Airflow instance (e.g., https://airflow.example.com).

Airflow uses the FAB (Flask-AppBuilder) auth manager. The connector exchanges username/password for a short-lived JWT token (default: 24h expiration) at the start of each sync. SSO/OAuth2 (Google, Okta, Azure Entra ID, etc.) is supported for the web UI but not for API access.

Configure the Airflow connector

Cloud-hosted
Self-hosted

Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.

In ConductorOne, navigate to Integrations > Connectors and click Add connector.

Search for Airflow and click Add.

Choose how to set up the new Airflow connector:

Add the connector to a currently unmanaged app
Add the connector to a managed app
Create a new managed app

Set the owner for this connector.

Click Next.

Find the Settings area of the page and click Edit.

Enter the required configuration:

Airflow Base URL: The base URL of your Airflow instance (e.g., https://airflow.example.com)
Username: Airflow admin username
Password: Airflow admin password

Click Save.

The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Airflow connector is now pulling access data into ConductorOne.

Follow these instructions to use the Airflow connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals.

Step 1: Set up a new Airflow connector

In ConductorOne, navigate to Integrations > Connectors > Add connector.

Search for Baton and click Add.

Choose how to set up the new Airflow connector:

Add the connector to a currently unmanaged app
Add the connector to a managed app
Create a new managed app

Set the owner for this connector.

Click Next.

In the Settings area of the page, click Edit.

Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your Airflow connector deployment:

Secrets configuration

# baton-airflow-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-airflow-secrets
type: Opaque
stringData:
  # ConductorOne credentials
  BATON_CLIENT_ID: <ConductorOne client ID>
  BATON_CLIENT_SECRET: <ConductorOne client secret>

  # Airflow credentials
  BATON_AIRFLOW_BASE_URL: https://airflow.example.com
  BATON_AIRFLOW_USERNAME: <Airflow admin username>
  BATON_AIRFLOW_PASSWORD: <Airflow admin password>

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration

# baton-airflow.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-airflow
  labels:
    app: baton-airflow
spec:
  selector:
    matchLabels:
      app: baton-airflow
  template:
    metadata:
      labels:
        app: baton-airflow
        baton: "true"
        baton-app: airflow
    spec:
      containers:
      - name: baton-airflow
        image: public.ecr.aws/conductorone/baton-airflow:latest
        imagePullPolicy: IfNotPresent
        env:
        - name: BATON_HOST_ID
          value: baton-airflow
        envFrom:
        - secretRef:
            name: baton-airflow-secrets

Step 3: Deploy the connector

Create a namespace in which to run ConductorOne connectors (if desired), then apply the secret config and deployment config files.

Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the Airflow connector to. Airflow data should be found on the Entitlements and Accounts tabs.

That’s it! Your Airflow connector is now pulling access data into ConductorOne.

All versions of this connector are available at dist.conductorone.com.

Set up Aircall connector

Set up an Amazon Elastic Kubernetes Service connector

⌘I

Welcome

Manage connectors

Deploy connectors

Upload connector data

Configurable connectors

Pre-built connectors

Set up an Airflow connector

Capabilities

Gather Airflow credentials

Configure the Airflow connector

Step 1: Set up a new Airflow connector

Step 2: Create Kubernetes configuration files

Secrets configuration

Deployment configuration

Step 3: Deploy the connector

Welcome

Manage connectors

Deploy connectors

Upload connector data

Configurable connectors

Pre-built connectors

​Capabilities

​Gather Airflow credentials

​Configure the Airflow connector

​Step 1: Set up a new Airflow connector

​Step 2: Create Kubernetes configuration files

​Secrets configuration

​Deployment configuration

​Step 3: Deploy the connector

Capabilities

Gather Airflow credentials

Configure the Airflow connector

Step 1: Set up a new Airflow connector

Step 2: Create Kubernetes configuration files

Secrets configuration

Deployment configuration

Step 3: Deploy the connector