GCP-Cloud Composer: Secret Manager access variable.json

Question

I try to configure Secret Manager for my Composer (ver 1.16, airflow 1.10) but I have a weird situation like below. In my Composer, I've used a variable.json file to manage Variables in Airflow

# variable.json
{
    "sleep": "False",
    "ssh_host": "my_host"
}

Then, I use this article to configure Secret Manager. Follow the instructions, I override the config with a section secrets

backend: airflow.providers.google.cloud.secrets.secret_manager.CloudSecretManagerBackend
backend_kwargs: {"variables_prefix":"airflow-variables", "sep":"-", "project_id": "my-project"}

And in my Secret Manager, I also created my secret : airflow-variables-sercret_name .

In fact, everything is fine, I could get my secret via (and of course, I don't have any problem with the service account)

from airflow.models.variable import Variable
my_secret = Variable.get('sercret_name')

But when I check the Logs, I found out that Airflow also tries to find the other variables in my variables.json file

2022-04-13 15:49:46.590 CEST airflow-worker Google Cloud API Call Error (NotFound): Secret ID airflow-secrets-sleep not found.
2022-04-13 15:49:46.590 CEST airflow-worker Google Cloud API Call Error (NotFound): Secret ID airflow-secrets-ssh_host not found.

So how could I avoid this situation, please? Or Did I miss understand something? Thanks !!!

Answer 1

These errors are known when you use Secret Manager, but here are some workarounds below:

• Add a way to skip Secret backend.
• File a Feature Request to lower the log priority; You can use this as a template for your issue.
• Create logs exclusion in Cloud Logging.

About Logs Exclusion:

Sinks control how Cloud Logging routes logs. Sinks belong to a given Google Cloud resource: Cloud projects, billing accounts, folders, and organizations. When the resource receives a log entry, it routes the log entry according to the sinks contained by that resource. The routing behavior for each sink is controlled by configuring the inclusion filter and exclusion filters for that sink.

When you create a sink, you can set multiple exclusion filters, letting you exclude matching log entries from being routed to the sink's destination or from being ingested by Cloud Logging.