Taragolis commented on code in PR #29623:
URL: https://github.com/apache/airflow/pull/29623#discussion_r1112397450
##########
airflow/providers/amazon/aws/hooks/base_aws.py:
##########
@@ -312,19 +312,35 @@ def _get_web_identity_credential_fetcher(
base_session = self.basic_session._session or
botocore.session.get_session()
client_creator = base_session.create_client
federation =
self.extra_config.get("assume_role_with_web_identity_federation")
- if federation == "google":
- web_identity_token_loader =
self._get_google_identity_token_loader()
- else:
- raise AirflowException(
- f'Unsupported federation: {federation}. Currently "google"
only are supported.'
- )
+
+ web_identity_token_loader = (
+ {
+ "file": self._get_file_token_loader,
+ "google": self._get_google_identity_token_loader,
+ }.get(federation)()
+ if type(federation) == str
+ else None
+ )
Review Comment:
> Unfortunately, this doesn't work out of the box for the vast majority of
operators. Furthermore, this doesn't address the use case; there are many ways
to obtain temporary credentials, but none currently allow configuring
AssumeRoleWithWebIdentity without relying on external configs.
It would work with all operators which required AWS Connection, the DAG I
provide as a sample, in prod all you need:
1. Setup in your environment `AWS_ROLE_ARN` and `AWS_WEB_IDENTITY_TOKEN_FILE`
2. Allow for `AWS_ROLE_ARN` to assume another role. This could be setup
thought AWS IAM which do not required to change anything in Airflow environment.
3. Setup your connection which in extra `{"role_arn":
"your-required-role-here"}`
Repeat step 2 and 3 for new roles what you required.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
