pgagnon commented on code in PR #29623:
URL: https://github.com/apache/airflow/pull/29623#discussion_r1112391709
##########
airflow/providers/amazon/aws/hooks/base_aws.py:
##########
@@ -312,19 +312,35 @@ def _get_web_identity_credential_fetcher(
base_session = self.basic_session._session or
botocore.session.get_session()
client_creator = base_session.create_client
federation =
self.extra_config.get("assume_role_with_web_identity_federation")
- if federation == "google":
- web_identity_token_loader =
self._get_google_identity_token_loader()
- else:
- raise AirflowException(
- f'Unsupported federation: {federation}. Currently "google"
only are supported.'
- )
+
+ web_identity_token_loader = (
+ {
+ "file": self._get_file_token_loader,
+ "google": self._get_google_identity_token_loader,
+ }.get(federation)()
+ if type(federation) == str
+ else None
+ )
Review Comment:
> Seems like it provide ability to set different web identity token file,
isn't it? 🤔
Yes; I don't see a reason not to allow parameterization here. In fact, I
think not doing so would be inconsistent and counter to the goal of allowing
the feature to be fully configured through the connections subsystem.
> I guess this option exists for allow create own method auth to AWS without
overwrite everything in provider. If it complicated better to think how it make
easier to end users.
Custom classes will always only be used by our more sophisticated users. I
do believe that they have their place in Airflow, but they shouldn't be
considered a replacement for more accessible APIs, even if they functionally
allow the same implementation.
> Airflow
[`AssumeRole`](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
in two steps
>
> 1. Obtain initial session by: either direct credentials or use `boto3`
default strategy for obtain credentials (Environment Variables, EC2 IAM
Profile, ECS Execution Role and etc)
> 2. Use session obtained in Step 1 for assume role thought STS API
[`AssumeRole`](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html).
Unfortunately, this doesn't work out of the box for the vast majority of
operators. Furthermore, this doesn't address the use case; there are many ways
to obtain temporary credentials, but none currently allow configuring
`AssumeRoleWithWebIdentity` without relying on external configs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]