[GitHub] [airflow] john-jac commented on pull request #19324: Catch AccessDeniedException in AWS Secrets Manager Backend

[GitBox]

john-jac commented on pull request #19324:
URL: https://github.com/apache/airflow/pull/19324#issuecomment-969417889


   > > Maybe so, but even without the above export, when secrets manager 
backend is set, and a condition or resource constraint is applied, Airflow will 
fail to start with multiple instances of `AccessDeniedException`
   > 
   > odd. i was not able to repro that 🤷
   
   It might be dependent on how you're connecting to AWS services, however I 
was able to repro without Airflow just by assuming a role with boto3 such as 
this Python code:
   
   ```
   my_role_arn = "<my role arn>"
   # create an STS client object that represents a live connection to the 
   # STS service
   sts_client = boto3.client('sts')
   
   # Call the assume_role method of the STSConnection object and pass the role
   # ARN and a role session name.
   assumed_role_object=sts_client.assume_role(
       RoleArn=my_role_arn,
       RoleSessionName="AssumeRoleSession1"
   )
   
   # From the response that contains the assumed role, get the temporary 
   # credentials that can be used to make subsequent API calls
   credentials=assumed_role_object['Credentials']
   
   # Use the temporary credentials that AssumeRole returns to make a 
   # connection to Amazon SM  
   sm_client_assumed=boto3.client(
       'secretsmanager',
       aws_access_key_id=credentials['AccessKeyId'],
       aws_secret_access_key=credentials['SecretAccessKey'],
       aws_session_token=credentials['SessionToken'],
   )
   
   # Use the Amazon SM resource object that is now configured with the 
   # credentials to access your secret. 
   secret_id = "<some secret not there>"
   secret_val_assumed = sm_client_assumed.get_secret_value(SecretId=secret_id)
   ```
   
   Give `my_role_arn` access to secrets manager like:
   
   ```
   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "secretsmanager:GetResourcePolicy",
                   "secretsmanager:GetSecretValue",
                   "secretsmanager:DescribeSecret",
                   "secretsmanager:ListSecretVersionIds"
               ],
               "Resource": 
"arn:aws:secretsmanager:us-west-2:012345678910:secret:some-prefix/*"
               }
           },
           {
               "Effect": "Allow",
               "Action": "secretsmanager:ListSecrets",
               "Resource": "*"
           }
       ]
   }
   ```
   
   This will generate `AccessDeniedException`.  Use `"Resource": 
"arn:aws:secretsmanager:us-west-2:012345678910:secret:*"` instead and you'll 
get `ResourceNotFoundException`.
   
   Thanks!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org