Before ingesting Apache Airflow metadata into Dawiso, prepare your deployment for authentication by creating a dedicated service account and confirming that the REST API is reachable. Only read access is required — Dawiso does not modify your DAGs, tasks, or configuration.
Supported Airflow versions
- Apache Airflow 2.0 and later (REST API v1)
- Apache Airflow 2.10+ and 3.x (REST API v2, JWT authentication)
- Managed services: AWS MWAA, Google Cloud Composer, Astronomer
Connection prerequisites
- An Airflow administrator account with permission to create users and assign roles.
- The Airflow REST API is enabled (default in Airflow 2.x and later).
- The Airflow web server is reachable from Dawiso on the configured base URL (default port
8080, or443behind a reverse proxy).
Authentication methods
Dawiso supports three authentication methods. The scanner selects the appropriate one based on the credentials you provide:
| Method | When used |
|---|---|
| Basic authentication | Username and password are provided. Sent as HTTP Basic Auth. Used by Airflow 2.x. |
| JWT token | Username and password are provided on Airflow 3.x. The scanner exchanges the credentials for a JWT token at /auth/token. |
| Bearer API token | An API token is provided directly. Sent in the Authorization header. Used by managed services. |
Create a service account
Create a dedicated service account rather than reusing a personal account.
Airflow 2.x and 3.x (web UI)
- Open the Airflow web UI as an administrator.
- Navigate to Security > List Users.
- Click + Add.
- Enter a username (e.g.,
dawiso_scanner) and a strong password. - Assign the Viewer role.
- Click Save.
The same credentials work for both API v1 (Basic Auth) and API v2 (JWT) — the scanner auto-detects the API version.
On some deployments, the connections and variables endpoints are restricted to the Admin role rather than Viewer. If those endpoints return 403 Forbidden during scanning, ask your Airflow administrator to either elevate the service account or grant per-endpoint access.
Managed services
For managed Airflow deployments, generate an API token through the platform’s own UI or IAM system:
| Platform | Authentication method |
|---|---|
| AWS MWAA | IAM role + Web Login Token via the AWS console or CLI |
| Google Cloud Composer | OAuth / OIDC bearer token via GCP IAM |
| Astronomer | API Token generated in the Astronomer UI |
Provide the resulting token as the API Token field when creating the connection — username and password are not used.
Verify API access
Before creating the connection in Dawiso, confirm that the REST API is reachable and your credentials work.
Airflow 2.x
curl -u dawiso_scanner:password123 https://airflow.example.com/api/v1/versionAirflow 3.x
curl -X POST https://airflow.example.com/auth/token \
-H "Content-Type: application/json" \
-d '{"username": "dawiso_scanner", "password": "password123"}'A successful response returns the Airflow version (v1) or a JWT token (v3), confirming both the API endpoint and authentication.
Recommended configuration
- Use a dedicated service account — avoid personal accounts for automated scanning.
- Keep the account at the Viewer role unless your deployment requires Admin for the connections or variables endpoints.
- Use a stable, load-balanced URL rather than a worker-specific address.
- Use HTTPS in production to protect credentials in transit.
- Rotate the service account password or API token according to your security policy.