[GitHub] [airflow] Taragolis commented on a diff in pull request #29623: Implement file credentials provider for AWS hook AssumeRoleWithWebIdentity

[via GitHub]

Taragolis commented on code in PR #29623:
URL: https://github.com/apache/airflow/pull/29623#discussion_r1112313305


##########
airflow/providers/amazon/aws/hooks/base_aws.py:
##########
@@ -312,19 +312,35 @@ def _get_web_identity_credential_fetcher(
         base_session = self.basic_session._session or 
botocore.session.get_session()
         client_creator = base_session.create_client
         federation = 
self.extra_config.get("assume_role_with_web_identity_federation")
-        if federation == "google":
-            web_identity_token_loader = 
self._get_google_identity_token_loader()
-        else:
-            raise AirflowException(
-                f'Unsupported federation: {federation}. Currently "google" 
only are supported.'
-            )
+
+        web_identity_token_loader = (
+            {
+                "file": self._get_file_token_loader,
+                "google": self._get_google_identity_token_loader,
+            }.get(federation)()
+            if type(federation) == str
+            else None
+        )

Review Comment:
   I don't want to be a "party breaker" but I have to. 🤣 
   It is not even about current implementation because it could be improved by 
remove some hacks and private things usage.
   
   More about that right `BaseSessionFactory` it contains a lot of hacks and 
private method usage and unfortunetly we could check only part of this hacks, 
I'm not even sure that that SAML over SPNEGO and Federation over Google still 
work because everything just mocking, unfortunetly the same situation here. 
Ideally we need some kind of System Tests not only for Operators but also for 
Connections 😿 
   
   And there is still exists alternatives:
   1. Profile from AWS Config File. I think if user could provide multiple 
tokens per POD it is also possible provide additional file with config
   2. Build own class over 
[`BaseSessionFactory`](https://airflow.apache.org/docs/apache-airflow-providers-amazon/stable/connections/aws.html#session-factory)
   3. Obtain initial credentials by [default `boto3` credentials 
strategy](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html#configuring-credentials)
 (in this case Environment Variables) and assume to specific role, of course it 
required additional IAM configurations.
    
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org