Skip to content

Secret masker doesn't mask values in Rendered templates #55943

New issue
New issue
Closed
Closed
Secret masker doesn't mask values in Rendered templates#55943
Labels
area:corearea:secretskind:bugThis is a clearly a bugneeds-triagelabel for new issues that we didn't triage yet
@ido177

Description

@ido177
ido177
opened on Sep 22, 2025

Apache Airflow version

3.0.6

If "Other Airflow 2 version" selected, which one?

No response

What happened?

I guess it's similar issue with #54540

We’re running Airflow in Kubernetes using both Celery and Local executors. Deploying from official chart 1.18.0. Problem persist in any of Airflow 3 version
Secret masker doesn't hide sensitive values in UI Rendered templates

We're using Hashicorp Vault as secrets backend

Image

What you think should happen instead?

All sensitive secret values should be masked with ***

How to reproduce

Run Airflow using chart

---
airflow:
  defaultAirflowTag: "3.0.6"
  airflowVersion: "3.0.6"
  useStandardNaming: true

  webserver:
    defaultUser:
      enabled: false

  executor: "LocalExecutor"

  config:
    secrets:
      backend: airflow.providers.hashicorp.secrets.vault.VaultBackend
      backend_kwargs: |
        {"connections_path": "dapa/airflow/environment/connections", "variables_path": "dapa/airflow/environment/variables", "mount_point": "datas", "token": "vow", "url": "http://vault:8200"}
    core:
      simple_auth_manager_all_admins: true
      auth_manager: airflow.api_fastapi.auth.managers.simple.simple_auth_manager.SimpleAuthManager

Run DAG

from airflow.sdk import DAG
from airflow.providers.standard.operators.bash import BashOperator


with DAG(
    dag_id="demo_connection_render",
) as dag:

    show_connection = BashOperator(
        task_id="show_connection",
        bash_command="""
        echo "Host: {{ conn.test_conn.host }}"
        echo "Login: {{ conn.test_conn.login }}"
        echo "Password: {{ conn.test_conn.password }}"
        """,
    )

{conn.password} should be masked

Operating System

Debian GNU/Linux 12 (bookworm)

Versions of Apache Airflow Providers

apache-airflow==3.0.6
apache-airflow-providers-google==17.1.0
apache-airflow-providers-mysql==6.3.3
apache-airflow-providers-slack==9.1.3
apache-airflow-providers-vertica==4.1.2
apache-airflow-providers-apache-livy==4.4.2
apache-airflow-providers-ssh==4.1.2
apache-airflow-providers-common-sql==1.27.4
apache-airflow-providers-cncf-kubernetes==10.6.0
apache-airflow-providers-hashicorp==4.3.2
apache-airflow-providers-standard==1.5.0
apache-airflow-providers-postgres==6.2.3
apache-airflow-providers-apache-cassandra==3.8.2

Deployment

Official Apache Airflow Helm Chart

Deployment details

No response

Anything else?

No response

Are you willing to submit PR?

  • Yes I am willing to submit a PR!

Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:corearea:secretskind:bugThis is a clearly a bugneeds-triagelabel for new issues that we didn't triage yet

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions