You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@airflow.apache.org by Denis Boulas <de...@gmail.com> on 2019/09/27 21:51:59 UTC

AWS external role

Hi airflowers!

I'm having bad luck to use external AWS role... I'm running on the instance
with role attached (instance profile), I have configured aws_default
connection id with empty user and password. Everything works within my AWS
account.

Also I have created a separate aws connection aws_external with only Extra
clause filled like this:
```
{"role_arn": "arn:aws:iam::123456789012:role/prod-airflow",
   "region_name": "us-east-1"}
```
Trust established between roles (instance profife and external role), I can
successfully obtain STS creds from instance role by using this command:
```
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/prod-airflow
--role-session-name test
```
But Airflow fails to use this connection with an error:
```
Running <TaskInstance: athena_partitions.mypart_app_ids
2019-09-22T01:00:00+00:00 [running]> on host ip-10-239-36-198.ec2.internal
[2019-09-23 22:57:45,030] {__init__.py:1580} ERROR - An error occurred
(InvalidClientTokenId) when calling the AssumeRole operation: The security
token included in the request is invalid.
Traceback (most recent call last):
```
Any ideas?

I've updated to Airflow 1.10.5 and still experiencing the issue.

Thanks in advance!

-- 
Best regards,
Denis Boulas