[GitHub] [airflow] Taragolis commented on a diff in pull request #29623: Implement file credentials provider for AWS hook AssumeRoleWithWebIdentity

[via GitHub]

Taragolis commented on code in PR #29623:
URL: https://github.com/apache/airflow/pull/29623#discussion_r1113290164


##########
airflow/providers/amazon/aws/hooks/base_aws.py:
##########
@@ -312,19 +312,35 @@ def _get_web_identity_credential_fetcher(
         base_session = self.basic_session._session or 
botocore.session.get_session()
         client_creator = base_session.create_client
         federation = 
self.extra_config.get("assume_role_with_web_identity_federation")
-        if federation == "google":
-            web_identity_token_loader = 
self._get_google_identity_token_loader()
-        else:
-            raise AirflowException(
-                f'Unsupported federation: {federation}. Currently "google" 
only are supported.'
-            )
+
+        web_identity_token_loader = (
+            {
+                "file": self._get_file_token_loader,
+                "google": self._get_google_identity_token_loader,
+            }.get(federation)()
+            if type(federation) == str
+            else None
+        )

Review Comment:
   >Speaking to strictly a user feature point of view: Supporting this feature 
in Airflow connections that work with any AWS operator is a huge win.
   
   @ashb Let me repeat one more time: "This **would** work right now without 
custom code in DAG, **>>>> DAG only for sample <<<<** ), the same as [snippet 
as provided in documentation for 
check](https://airflow.apache.org/docs/apache-airflow-providers-amazon/stable/connections/aws.html#snippet-to-create-connection-and-convert-to-uri).
   
   There is exists option which tested and covered: 
   
   - Step 1: Obtain by `boto3` default credentials strategy
   - Step 2: Assume required role
   
   This work thought **single connection**, the same way as it work when 
Airflow deployed in EC2 Instances or ECS Tasks.
   
   And in opposite this solution (as well as SPHEGO and Google Federation) mock 
everything, we even do not know if `botocore` change this part because we mock 
everything.
   
   > And as Philippe said, botocore is not a private module.
   >
   > Importing a public class from botocore.credentials is 100% not a problem.
   
   Huh 🤔? 
   ```python
           token_file = 
self.extra_config.get("assume_role_with_web_identity_token_file") or os.getenv(
               
AssumeRoleWithWebIdentityProvider._CONFIG_TO_ENV_VAR["web_identity_token_file"]
           )
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org