Cross-Account S3 for dags and Secrets Manager for connections

Question

Hi  
  
I am really trying hard to get this one.   
  
I have my S3 bucket for dags and secrets manager secrets for variables in account A and my MWAA environment in account B. I have given all the permissions to the MWAA execution role and set the bucket policy and secrets manager policy as well to allow my MWAA role. But my MWAA environment cannot access any of these.  
  
So I am wondering whether MWAA actually supports cross account S3 bucket as a source bucket and cross account secrets manager to store airflow variables.  
  
Please help me out because I have googled a lot but found nothing helpful.

Answer

What about KMS key? It can be cross-account. Right?

Answer

Hi!  
  
The S3 bucket for DAGs must exist in the same account as the MWAA environment.  This is to prevent MWAA executing code from another account.  
  
Cross account secrets manager may work with IAM delegation https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html or by adding an explicit AWS connection via secret via the Airflow connections UI.  
  
Thanks!

Cross-Account S3 for dags and Secrets Manager for connections

相關內容