assume_role_with_web_identity doesn't work #32726
-
Good day and thanks for reading. I have an issue with my Airflow connections that i'm trying to configure to use assume_role_with_web_identity method. My Airflow is running in AKS and i'd like some Airflow connections to provide access to AWS resources (S3, SQS, etc.) Right now i have this:
However when i do create Airflow connection with this in Extra: {"role_arn": "arn:aws:iam::MY_ACCOUNT:role/MY_ROLE", "assume_role_method": "assume_role_with_web_identity", "assume_role_with_web_identity_federation": "file", "assume_role_with_web_identity_token_file": "/var/run/secrets/azure/tokens/azure-identity-token", "region_name": "us-east-1"} It doesn't work. We get errors related to missing creds:
I'm not very familiar with Airflow and i rely on our Data Engineers here, however I can't get rid of the feeling that this might be something simple i've missed here. I have configured Airflow connection according to docs, PODs have correct token that works, what am I missing here? Any help is appreciated, thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments 1 reply
-
Update: We've created a DAG to test direct access with boto3:
So s3_boto_operator step - works just fine |
Beta Was this translation helpful? Give feedback.
-
It seems that our AWS provider version is too old to support this. I will double check and close this if this is true. |
Beta Was this translation helpful? Give feedback.
-
Sorry for this to be open - we have some slow processes updating providers. I will update this ASAP |
Beta Was this translation helpful? Give feedback.
-
Another workaround could be use Option 1: Environment variablesYou need to inject this variables to your pod So in this case your AWS Connection should be something like {"region_name": "us-east-1"} Option 2: AWS config fileNote This is less flexible because required create files, and depend on your deployment process this could turns into the hell. First of all you need to create [profile awesome-profile]
role_arn=arn:aws:iam::MY_ACCOUNT:role/MY_ROLE
web_identity_token_file=/var/run/secrets/azure/tokens/azure-identity-token So in this case your AWS Connection should be something like {
"profile_name": "awesome-profile",
"region_name": "us-east-1"
} Important If you choose one of this methods you should not provide |
Beta Was this translation helpful? Give feedback.
-
Also i will close this as we have tested and it works - just need to update Airflow AWS provider to version that support that feature |
Beta Was this translation helpful? Give feedback.
-
assume_role_with_web_identity doesn't work on eks 1.30 EKS Verison : 1.30 my-values.yaml:env:
Volumes for all airflow containersvolumes:
VolumeMounts for all airflow containersvolumeMounts:
|
Beta Was this translation helpful? Give feedback.
Thank you, this is definitely something to be aware of.