You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/07/28 01:39:44 UTC

[GitHub] [airflow] kloty commented on issue #12035: Support AssumeRoleWithWebIdentity for AWS provider

kloty commented on issue #12035:
URL: https://github.com/apache/airflow/issues/12035#issuecomment-887944378


   > @vladiceanu @hammad13060 Isn't it enough to configure an empty AWS connection to use [the boto3 credential search flow](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials) and set the `AWS_WEB_IDENTITY_TOKEN_FILE` environment variable?
   > 
   > Reference:
   > https://aws.amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/
   > 
   > CC: @besson, @arobinski, @kokojumbo, @SadatAnwar, @Swalloow, and @giannisbetas
   
   For me, this method worked with the correct settings. I'll leave my case for the next person. 
   
   I installed Airflow 2.1.2 with helm and attached the required role-arn to the airflow service account as an annotation. The role Includes s3 read write policy for logging and other aws resource related policies. 
   I also checked IRSA related Environment Variable (`AWS_ROLE_ARN`, `AWS_WEB_IDENTITY_TOKEN_FILE`) were automatically attached to the Airflow-related pods well.
   
   According to `airflow/providers/amazon/aws/hooks/base_aws.py`, if `role-arn` does not specify in the aws connection's extra parameter, a base session declared using an empty parameter will be used.
   So I declared AWS Connection with name aws_default without any additional parameters, and I confirmed that everything worked fined in my project.
   
   However, there was some confusion when reading and working on documentation.
   :https://airflow.apache.org/docs/apache-airflow-providers-amazon/stable/connections/aws.html#amazon-web-services-connection
   Because there are only the GCP related contents are written.
   
   I don't know if above should be written down on documentation, but if that part is resolved, I think this issue can be closed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org