I want to use AWS Identity and Access Management (IAM) role-based permissions to get directed acyclic graph (DAG) access in Amazon Managed Workflows for Apache Airflow (Amazon MWAA).
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Create a custom IAM policy to grant web server access
To create a custom IAM policy that grants web server access to the IAM user or role, use the default Apache Airflow Public role.
Use the following JSON policy document to create the IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "airflow:CreateWebLoginToken",
"Resource": [
"arn:aws:airflow:example-region:example-account-id:role/example-environment/Public"
]
}
]
}
Note: Replace example-region with your AWS Region, example-account-id with your account ID, and example-environment with your environment name.
Then, add the policy to the IAM user or role. Make sure that the IAM role or user logs in to Apache Airflow at least one time.
Create a custom Airflow RBAC role
Complete the following steps:
- Use an admin role to access your Apache Airflow UI.
- For Security, choose List Roles to view the default Apache Airflow roles.
- Choose a role, and then choose Copy role.
- In the Users table, locate the role, and then choose Edit record.
- On the Edit page, make the following changes:
Update the role name to a valid value.
For Permissions, remove can read on DAGs and can edit on Dags.
Add read and write permissions for the DAGs that you want to grant access to.
Choose Save.
Note: You can also use APIs to create a new role-based access control (RBAC) Airflow role. For more information, see amazon-mwaa-examples on the GitHub website.
Assign the Airflow role
Complete the following steps:
- Open the Amazon MWAA console.
- Use the IAM role to run the get-environment command:
aws mwaa get-environment --name example-environment | jq '.Environment.WebserverUrl'
Note: Replace example-environment with your environment name. Note the web server URL in the command's output.
- Open a new browser window, and then enter the web server URL:
https://example-webserver-url/home
Note: Replace example-webserver-URL with the web server URL.
- Confirm that a Forbidden error appears.
Note: This error is expected because you assigned the new role as an Airflow Public RBAC role that doesn't have the required permissions.
- Use an admin role to access your environment's Apache Airflow UI.
- For Security, choose List Users.
- In the Users table, locate your Apache Airflow user or role, and then choose Edit record. The user's first name must match your IAM username in the user/customUser format.
- In the Role section of the Edit User page, add the role.
- Choose Save.
The IAM Public role grants customUser permissions to access the Apache Airflow UI and view the DAGs.