ashb commented on code in PR #29623:
URL: https://github.com/apache/airflow/pull/29623#discussion_r1113244622
##########
airflow/providers/amazon/aws/hooks/base_aws.py:
##########
@@ -312,19 +312,35 @@ def _get_web_identity_credential_fetcher(
base_session = self.basic_session._session or
botocore.session.get_session()
client_creator = base_session.create_client
federation =
self.extra_config.get("assume_role_with_web_identity_federation")
- if federation == "google":
- web_identity_token_loader =
self._get_google_identity_token_loader()
- else:
- raise AirflowException(
- f'Unsupported federation: {federation}. Currently "google"
only are supported.'
- )
+
+ web_identity_token_loader = (
+ {
+ "file": self._get_file_token_loader,
+ "google": self._get_google_identity_token_loader,
+ }.get(federation)()
+ if type(federation) == str
+ else None
+ )
Review Comment:
Speaking to strictly a user feature point of view: Supporting this feature
in Airflow connections that work with any AWS operator is a huge win. So the
DAG approach you have right now isn't really viable, not for users who aren't
proficient in Python -- which lets not forget is many Airflow users.
So lets state my ground truth: Being able to configure an AWS connection
exclusively through the Airflow UI to use a web identity token, that can then
be used with all existing AWS operators, is a good feature and one we will
accept.
We can talk about implementation details, but "just write a python operator
do to it" is not an answer to this problem.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
