MWAA web login token

Question

I have setup MWAA v2.7.2 in PRIVATE access mode in my already existing VPC and I allow access to the UI through VPN. I follow the MWAA documentation and I am able to produce a CLI token and then hit airflow endpoints from my linux terminal. I am also able to produce a web login token and with the MWAA documentation about it I get a URL which if i paste on a browser I can login to the UI.
My questions are these. The first one is my main question:
1. The documentation states `You can use the commands on this page to generate a web login token, and then make Amazon Managed Workflows for Apache Airflow API calls directly in your command shell. For example, you can get a token, then deploy DAGs programmatically using Amazon MWAA APIs.`. Yet an example is not provided as to how to do this with a web login token and I was not able to find anything about it online.
2. What use case scenario does the URL with the web login token serve? I mean all the Airflow users in my company will have access to it through their IAM. In what scenario would the URL be useful?
Thanks in advance for any clarification provided.

Answer

Hi,

I understand you're referring to this [MWAA documentation](https://docs.aws.amazon.com/mwaa/latest/userguide/call-mwaa-apis-web.html). Actually, the below statement isn't entirely correct. I'll request MWAA documentation team to correct it to prevent further confusion.
```
You can use the commands on this page to generate a web login token, and then make Amazon Managed Workflows for Apache Airflow API calls directly in your command shell. For example, you can get a token, then deploy DAGs programmatically using Amazon MWAA APIs.
```
As you may already be aware, MWAA web-login token is only meant to authenticate and authorize into the Airflow UI. It cannot be used to make API calls directly in the command shell or deploy DAGs programmatically. Instead, such functionality is fulfilled by MWAA CLI token, and [this documentation](https://docs.aws.amazon.com/mwaa/latest/userguide/call-mwaa-apis-cli.html) provides the example Bash and Python code for it.

Regarding your second question, the URL with valid web login token will provide authentication and authorization into the Airflow UI. This is controlled by granting `airflow:CreateWebLoginToken` permission to your IAM user/role, who needs to access the Airflow UI. In the `Resource` attribute, one of the predefined Airflow roles can be specified. You can reference [this documentation](https://docs.aws.amazon.com/mwaa/latest/userguide/access-policies.html#web-ui-access) for more context. Specifying the web-login token with URL can be useful when you do not want to rely upon the MWAA Console SSO login option. This can be useful when you're implementing federated access to the Airflow UI as explained [here](https://d1.awsstatic.com/whitepapers/accessing-a-private-amazon-mwaa-environment-using-federated-identities.pdf) as one example.

I hope this helps.

MWAA web login token

관련 콘텐츠