You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by "Tomasz Urbaszek (Jira)" <ji...@apache.org> on 2020/03/13 09:12:00 UTC

[jira] [Resolved] (AIRFLOW-6975) Base AWSHook AssumeRoleWithSAML

     [ https://issues.apache.org/jira/browse/AIRFLOW-6975?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tomasz Urbaszek resolved AIRFLOW-6975.
--------------------------------------
    Fix Version/s: 2.0.0
       Resolution: Done

> Base AWSHook AssumeRoleWithSAML
> -------------------------------
>
>                 Key: AIRFLOW-6975
>                 URL: https://issues.apache.org/jira/browse/AIRFLOW-6975
>             Project: Apache Airflow
>          Issue Type: Improvement
>          Components: aws
>    Affects Versions: 1.10.9
>            Reporter: Bjorn Olsen
>            Assignee: Bjorn Olsen
>            Priority: Minor
>             Fix For: 2.0.0
>
>
> Base AWS Hook currently does AssumeRole but we require it to additionally be able to do AssumeRoleWithSAML.
> +Current+
> [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerole]
> The AssumeRole API operation is useful for allowing existing IAM users to access AWS resources that they don't already have access to.
> (This requires an AWS IAM user)
> +Proposed addition+
> [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithsaml]
> The AssumeRoleWithSAML API operation returns a set of temporary security credentials for federated users who are authenticated by your organization's existing identity system.
> (This allows federated login using another IDP rather than requiring an AWS IAM user).
>  
> +Use case+
> We need to be able to authenticate an AD user against our IDP (Windows Active Directory).
> We can obtain a SAML assertion from our IDP, and then provide it to AWS STS to exchange it for AWS temporary credentials, thus authorising us to use AWS services. 
> The AWS AssumeRoleWithSAML API is intended for this use case, and the Base AWS Hook should be updated to allow for this method of authentication.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)