[
https://issues.apache.org/jira/browse/AIRFLOW-6975?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17050942#comment-17050942
]
ASF GitHub Bot commented on AIRFLOW-6975:
-----------------------------------------
baolsen commented on pull request #7619: [AIRFLOW-6975] Base AWSHook
AssumeRoleWithSAML
URL: https://github.com/apache/airflow/pull/7619
---
Issue link: WILL BE INSERTED BY
[boring-cyborg](https://github.com/kaxil/boring-cyborg)
Make sure to mark the boxes below before creating PR: [x]
- [x] Description above provides context of the change
- [x] Commit message/PR title starts with `[AIRFLOW-NNNN]`. AIRFLOW-NNNN =
JIRA ID<sup>*</sup>
- [] Unit tests coverage for changes (not needed for documentation changes)
- [x] Commits follow "[How to write a good git commit
message](http://chris.beams.io/posts/git-commit/)"
- [x] Relevant documentation is updated including usage instructions.
- [x] I will engage committers as explained in [Contribution Workflow
Example](https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#contribution-workflow-example).
<sup>*</sup> For document-only changes commit message can start with
`[AIRFLOW-XXXX]`.
---
In case of fundamental code change, Airflow Improvement Proposal
([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvements+Proposals))
is needed.
In case of a new dependency, check compliance with the [ASF 3rd Party
License Policy](https://www.apache.org/legal/resolved.html#category-x).
In case of backwards incompatible changes please leave a note in
[UPDATING.md](https://github.com/apache/airflow/blob/master/UPDATING.md).
Read the [Pull Request
Guidelines](https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#pull-request-guidelines)
for more information.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Base AWSHook AssumeRoleWithSAML
> -------------------------------
>
> Key: AIRFLOW-6975
> URL: https://issues.apache.org/jira/browse/AIRFLOW-6975
> Project: Apache Airflow
> Issue Type: Improvement
> Components: aws
> Affects Versions: 1.10.9
> Reporter: Bjorn Olsen
> Assignee: Bjorn Olsen
> Priority: Minor
>
> Base AWS Hook currently does AssumeRole but we require it to additionally be
> able to do AssumeRoleWithSAML.
> +Current+
> [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerole]
> The AssumeRole API operation is useful for allowing existing IAM users to
> access AWS resources that they don't already have access to.
> (This requires an AWS IAM user)
> +Proposed addition+
> [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithsaml]
> The AssumeRoleWithSAML API operation returns a set of temporary security
> credentials for federated users who are authenticated by your organization's
> existing identity system.
> (This allows federated login using another IDP rather than requiring an AWS
> IAM user).
>
> +Use case+
> We need to be able to authenticate an AD user against our IDP (Windows Active
> Directory).
> We can obtain a SAML assertion from our IDP, and then provide it to AWS STS
> to exchange it for AWS temporary credentials, thus authorising us to use AWS
> services.
> The AWS AssumeRoleWithSAML API is intended for this use case, and the Base
> AWS Hook should be updated to allow for this method of authentication.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
