Taragolis commented on code in PR #29623:
URL: https://github.com/apache/airflow/pull/29623#discussion_r1114381838
##########
airflow/providers/amazon/aws/hooks/base_aws.py:
##########
@@ -312,19 +312,35 @@ def _get_web_identity_credential_fetcher(
base_session = self.basic_session._session or
botocore.session.get_session()
client_creator = base_session.create_client
federation =
self.extra_config.get("assume_role_with_web_identity_federation")
- if federation == "google":
- web_identity_token_loader =
self._get_google_identity_token_loader()
- else:
- raise AirflowException(
- f'Unsupported federation: {federation}. Currently "google"
only are supported.'
- )
+
+ web_identity_token_loader = (
+ {
+ "file": self._get_file_token_loader,
+ "google": self._get_google_identity_token_loader,
+ }.get(federation)()
+ if type(federation) == str
+ else None
+ )
Review Comment:
> The point of this feature is to allow different Airflow connections to
have different styles of credentials. I'm marking this point as resolved now as
there are no private APIs/attrs in use.
My point initially that this changes not required at all, because everything
is available right now in Amazon Provider.
Make users allow to setup something which not available thought
`botocore.session.Session` (there is no way to change env var here or setup
default values) or `botocore.config.Config` could be potentially unsafe and
would make administrators who maintain Airflow unhappy.
AWS do not provide public interface for iterate with this function directly,
more probably for security reason, but we would not allow to make in community
provider). Only public interface for that potentially "unsafe" capabilities
thought profiles, AWS Config file and ENV VARs which under administrators
control, another option it is `aws-cli` but this not option in this case.
I can't find any use cases for this feature, as well as AWS do not even
provide any documentation for that, rather than setup environment variables for
k8s pod.
Right now users and administrators have everything for do different and
potentially unsafe stuff when it comes to credentials to AWS.
1. Provide Environment Variables, and config files. This part under control
of administrators
2. Write own SessionFactory, yeah AWS provider is unique provider which
allow overwrite logic for obtain
3. Obtain initial session and assume to specific role. The same, this is
under control of administrators, default session obtained thought boto3
credential strategy (p1) and other stuff happen thought AWS IAM, permission
could be revoked and monitored.
```json
{
"role_arn": "arn:aws:iam::112223334444:role/my_role",
"region_name": "ap-southeast-2"
}
```
This PR it is nice way to shot in foot or cast security wormhole, we should
avoid to use any files/classes which passed thought connection. The only one
way to allow this to the community provider:
1. Make it optional
2. Enable thought Airflow Configurations `[aws] allow_unsafe`
3. Turned off this functional by default
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
