> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up an Airflow connector

> C1 provides identity governance and just-in-time provisioning for Apache Airflow. Integrate your Airflow instance with C1 to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision role assignments.

## Capabilities

The Airflow connector syncs the following resources:

| Resource | Sync                                                          | Provision                                                                    |
| :------- | :------------------------------------------------------------ | :--------------------------------------------------------------------------- |
| Accounts | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> Create, Delete |
| Roles    | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> Grant, Revoke  |

## Gather Airflow credentials

<Warning>
  To configure the Airflow connector, you need **Admin** role access in your Airflow instance. The connector requires permissions to read users, roles, and to update user role assignments for provisioning.
</Warning>

The connector uses username/password credentials to authenticate with Airflow's `/auth/token` endpoint, which returns a JWT token used for all API requests.

<Steps>
  <Step>
    Ensure you have an Airflow user with the **Admin** role.
  </Step>

  <Step>
    Note down the username, password, and the base URL of your Airflow instance (e.g., `https://airflow.example.com`).
  </Step>
</Steps>

<Info>
  Airflow uses the FAB (Flask-AppBuilder) auth manager. The connector exchanges username/password for a short-lived JWT token (default: 24h expiration) at the start of each sync. SSO/OAuth2 (Google, Okta, Azure Entra ID, etc.) is supported for the web UI but not for API access.
</Info>

## Configure the Airflow connector

<Tabs>
  <Tab title="Cloud-hosted">
    Follow these instructions to use a built-in, no-code connector hosted by C1.

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Airflow** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Airflow connector:

        * Add the connector to a currently unmanaged app
        * Add the connector to a managed app
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Enter the required configuration:

        * **Airflow Base URL**: The base URL of your Airflow instance (e.g., `https://airflow.example.com`)
        * **Username**: Airflow admin username
        * **Password**: Airflow admin password
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your Airflow connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    Follow these instructions to use the [Airflow](https://github.com/conductorone/baton-airflow) connector, hosted and run in your own environment.

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals.

    ### Step 1: Set up a new Airflow connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Airflow connector:

        * Add the connector to a currently unmanaged app
        * Add the connector to a managed app
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.

        Carefully copy and save these credentials.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your Airflow connector deployment:

    #### Secrets configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-airflow-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-airflow-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>

      # Airflow credentials
      BATON_AIRFLOW_BASE_URL: https://airflow.example.com
      BATON_AIRFLOW_USERNAME: <Airflow admin username>
      BATON_AIRFLOW_PASSWORD: <Airflow admin password>

      # Optional: include if you want C1 to provision access using this connector
      BATON_PROVISIONING: true
    ```

    See the connector's README or run `--help` to see all available configuration flags and environment variables.

    #### Deployment configuration

    ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
    # baton-airflow.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-airflow
      labels:
        app: baton-airflow
    spec:
      selector:
        matchLabels:
          app: baton-airflow
      template:
        metadata:
          labels:
            app: baton-airflow
            baton: "true"
            baton-app: airflow
        spec:
          containers:
          - name: baton-airflow
            image: public.ecr.aws/conductorone/baton-airflow:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-airflow
            envFrom:
            - secretRef:
                name: baton-airflow-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Applications**. On the **Managed apps** tab, locate and click the name of the application you added the Airflow connector to. Airflow data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your Airflow connector is now pulling access data into C1.
  </Tab>
</Tabs>

***

<Tip>
  All versions of this connector are available at [dist.conductorone.com](https://dist.conductorone.com/ConductorOne/baton-airflow).
</Tip>