By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

MWAA web login token

0

I have setup MWAA v2.7.2 in PRIVATE access mode in my already existing VPC and I allow access to the UI through VPN. I follow the MWAA documentation and I am able to produce a CLI token and then hit airflow endpoints from my linux terminal. I am also able to produce a web login token and with the MWAA documentation about it I get a URL which if i paste on a browser I can login to the UI. My questions are these. The first one is my main question:

  1. The documentation states You can use the commands on this page to generate a web login token, and then make Amazon Managed Workflows for Apache Airflow API calls directly in your command shell. For example, you can get a token, then deploy DAGs programmatically using Amazon MWAA APIs.. Yet an example is not provided as to how to do this with a web login token and I was not able to find anything about it online.
  2. What use case scenario does the URL with the web login token serve? I mean all the Airflow users in my company will have access to it through their IAM. In what scenario would the URL be useful? Thanks in advance for any clarification provided.
Topics
Application Integration
Tags
Amazon Managed Workflows for Apache Airflow (MWAA)
Language
English
DAK
asked 3 months ago459 views
1 Answer
0

Hi,

I understand you're referring to this MWAA documentation. Actually, the below statement isn't entirely correct. I'll request MWAA documentation team to correct it to prevent further confusion.

You can use the commands on this page to generate a web login token, and then make Amazon Managed Workflows for Apache Airflow API calls directly in your command shell. For example, you can get a token, then deploy DAGs programmatically using Amazon MWAA APIs.

As you may already be aware, MWAA web-login token is only meant to authenticate and authorize into the Airflow UI. It cannot be used to make API calls directly in the command shell or deploy DAGs programmatically. Instead, such functionality is fulfilled by MWAA CLI token, and this documentation provides the example Bash and Python code for it.

Regarding your second question, the URL with valid web login token will provide authentication and authorization into the Airflow UI. This is controlled by granting airflow:CreateWebLoginToken permission to your IAM user/role, who needs to access the Airflow UI. In the Resource attribute, one of the predefined Airflow roles can be specified. You can reference this documentation for more context. Specifying the web-login token with URL can be useful when you do not want to rely upon the MWAA Console SSO login option. This can be useful when you're implementing federated access to the Airflow UI as explained here as one example.

I hope this helps.

AWS
AWS-Sajjan
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content