[GitHub] [airflow] pgagnon commented on a diff in pull request #29623: Implement file credentials provider for AWS hook AssumeRoleWithWebIdentity

Mon, 20 Feb 2023 15:34:01 -0800 


pgagnon commented on code in PR #29623:
URL: https://github.com/apache/airflow/pull/29623#discussion_r1112391709


##########
airflow/providers/amazon/aws/hooks/base_aws.py:
##########
@@ -312,19 +312,35 @@ def _get_web_identity_credential_fetcher(
         base_session = self.basic_session._session or 
botocore.session.get_session()
         client_creator = base_session.create_client
         federation = 
self.extra_config.get("assume_role_with_web_identity_federation")
-        if federation == "google":
-            web_identity_token_loader = 
self._get_google_identity_token_loader()
-        else:
-            raise AirflowException(
-                f'Unsupported federation: {federation}. Currently "google" 
only are supported.'
-            )
+
+        web_identity_token_loader = (
+            {
+                "file": self._get_file_token_loader,
+                "google": self._get_google_identity_token_loader,
+            }.get(federation)()
+            if type(federation) == str
+            else None
+        )

Review Comment:
   > Seems like it provide ability to set different web identity token file, 
isn't it? 🤔
   
   Yes; I don't see a reason not to allow parameterization here. In fact, I 
think not doing so would be inconsistent and counter to the goal of allowing 
the feature to be fully configured through the connections subsystem.
   
   > I guess this option exists for allow create own method auth to AWS without 
overwrite everything in provider. If it complicated better to think how it make 
easier to end users.
   
   Custom classes will always only be used by our more sophisticated users. I 
do believe that they have their place in Airflow, but they shouldn't be 
considered a replacement for more accessible APIs, even if they functionally 
allow the same implementation.
   
   > Airflow 
[`AssumeRole`](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html)
 in two steps
   > 
   > 1. Obtain initial session by: either direct credentials or use `boto3` 
default strategy for obtain credentials (Environment Variables, EC2 IAM 
Profile, ECS Execution Role and etc)
   > 2. Use session obtained in Step 1 for assume role thought STS API 
[`AssumeRole`](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html).
   
   Unfortunately, this doesn't work out of the box for the vast majority of 
operators. Furthermore, this doesn't address the use case; there are many ways 
to obtain temporary credentials, but none currently allow configuring  
`AssumeRoleWithWebIdentity` without relying on external configs.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to