lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Apache Airflow

Apache Software FoundationCI/CD4 credentials

Credentials4 documented
01

Fernet Key

apache-airflow / fernet-key

Airflow encrypts sensitive connection and variable values at rest with a fernet key. Airflow security documentation covers encryption at rest and secrets backends for workload secrets.

generated on installsecretsecret value

Looks like

pattern
pattern

Fernet key shape commonly used by Airflow for encrypted metastore secrets

[A-Za-z0-9_\-]{43}=

Location

config file
airflow.cfg

Airflow core fernet_key setting

environment
AIRFLOW__CORE__FERNET_KEY
secret store

Kubernetes Secrets, Helm secrets, cloud secret managers, and Airflow secrets backends

source code

committed airflow.cfg, Helm values, Docker Compose files, and test configs

logs

startup logs and support bundles

Notes

A leaked fernet key plus Airflow metadata database access can decrypt stored connection passwords and variable values.

02

Webserver Secret Key

apache-airflow / webserver-secret-key

Airflow webserver uses a secret key for signing web sessions and CSRF state. Deployments commonly set this through airflow.cfg or environment variables.

generated on installsecretsecret value

Location

config file
airflow.cfg, webserver_config.py

Airflow webserver secret_key and web UI security configuration

environment
AIRFLOW__WEBSERVER__SECRET_KEY
secret store

Kubernetes Secrets, Helm secrets, and cloud secret managers

source code

committed configs and deployment manifests

Notes

Webserver secret-key rotation invalidates sessions and protects signed UI state.

03

Connection / Variable Secret

apache-airflow / connection-secret

Airflow stores credentials for external systems as Connections and Variables in the metastore, environment variables, or configured secrets backends. Airflow documents the secrets search path and external secrets backends.

user definedsecretsecret value

Location

database

Airflow metadata database storing encrypted connection and variable values

environment
AIRFLOW_CONN_*, AIRFLOW_VAR_*
secret store

HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, Kubernetes Secrets, and custom backends

config file

DAG configs, local secrets files, airflow.cfg, and Helm values

source code

DAG repositories, tests, and committed connection URIs

logs

task logs, connection debugging, and scheduler/webserver output

Notes

Airflow connection secrets may be cloud keys, database passwords, SSH keys, API tokens, and other downstream credentials used by DAGs.

04

Web UI User Password

apache-airflow / admin-user-password

Airflow web UI users authenticate through the configured auth manager or webserver auth backend. Local user credentials are deployment-specific and often provisioned by CLI, Helm chart, or secrets backend.

user definedsecretusername/password

Location

database

Airflow metadata database user tables for local auth configurations

public interface
Airflow webserver UI and API
environment
AIRFLOW_WWW_USER_USERNAME, AIRFLOW_WWW_USER_PASSWORD
secret store

Helm secrets, Kubernetes Secrets, password vaults, and identity-provider secrets

source code

Docker Compose files, Helm values, and local dev configs

logs

setup output and authentication traces

Notes

There is no universal Airflow administrator password; it is created during deployment or managed by the configured identity provider.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.