MWAA Webserver UI Forbidden
- I have created Private MWAA environment
- Create EC2 bastion for port forwaring
- Running ssh tunnel from my localhost and trying to open UI
- I can see Airflow UI requesting SSO login.
- I generated token with "aws mwaa create-web-login-token"
https://localhost:8888/aws_mwaa/aws-console-sso?login=true#eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJ3ZWIiLCJyb2xlcyI6IkFkbWluIiwiZXhwIjoxNzA0ODc5ODk5LCJ1c2VyIjoiYXNzdW1lZC1yb2xlL0FXU1Jlc2VydmVkU1NPX0FXU0FkbWluaXN0cmF0b3JBY2NlS0I1eXU1QjdMcjlvRG91QSJ9.H2uBzOmG8E7hIYaHEIbwoXbCPFeXjHf1y5tvUPULdlW3pJHoqbVNUGzM-Az95BW1RI5NrChd2aFqgop7IiceqQ2DbWD4zwEueizje0O_caNDzqWds6xaCZx3WcvVPmtDsBqqSuofSFolna50iFFIvMHkA9JkpWpGnaaP_jMsVx_ul1uxmJzQbCBeJXzkXmR6LnG7PcGiPdaTmXddaGgc-GMTm6l4MgotbDIaBnP-cyzvdrz5szqb32SSFy5fhg4w-A5z7AzwTOF2eTYgqYQ6Myl5rl4ryNteoID633zUstrPWtFC1-lHB3xJZhkfhIpTew8eEexGqinh6DK_xOKpsA
6. Trying to UI with token and getting Forbidden error.
webserver logs:
Maybe somebody can help me on what I am doing wrong?
**FOLLOWUP: I attached AdministratorAccess to role that was created by MWAA automatically **
how can I figure out which role was missing?
- 新しい順
- 投票が多い順
- コメントが多い順
Hello, I'm assuming that you're following the steps outlined in this documentation: https://docs.aws.amazon.com/mwaa/latest/userguide/call-mwaa-apis-web.html
It is important to note that the generated web-login-token is only valid for 60 seconds. Thus, it is important to access the Airflow URL with the token before it expires. If you're still facing the error even after ensuring timely login, the issue could be related to the IAM permissions. For the IAM execution role created during MWAA environment creation, it should already have the required permissions. Whereas, for login into Airflow UI, your own IAM role/user needs to have the airflow:CreateWebLoginToken permission as mentioned here: https://docs.aws.amazon.com/mwaa/latest/userguide/access-policies.html#web-ui-access
I hope this helps.
関連するコンテンツ
AWS公式更新しました 1年前- AWS公式更新しました 1年前
- AWS公式更新しました 9ヶ月前
