[
https://issues.apache.org/jira/browse/AIRFLOW-6975?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tomasz Urbaszek resolved AIRFLOW-6975.
--------------------------------------
Fix Version/s: 2.0.0
Resolution: Done
> Base AWSHook AssumeRoleWithSAML
> -------------------------------
>
> Key: AIRFLOW-6975
> URL: https://issues.apache.org/jira/browse/AIRFLOW-6975
> Project: Apache Airflow
> Issue Type: Improvement
> Components: aws
> Affects Versions: 1.10.9
> Reporter: Bjorn Olsen
> Assignee: Bjorn Olsen
> Priority: Minor
> Fix For: 2.0.0
>
>
> Base AWS Hook currently does AssumeRole but we require it to additionally be
> able to do AssumeRoleWithSAML.
> +Current+
> [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerole]
> The AssumeRole API operation is useful for allowing existing IAM users to
> access AWS resources that they don't already have access to.
> (This requires an AWS IAM user)
> +Proposed addition+
> [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithsaml]
> The AssumeRoleWithSAML API operation returns a set of temporary security
> credentials for federated users who are authenticated by your organization's
> existing identity system.
> (This allows federated login using another IDP rather than requiring an AWS
> IAM user).
>
> +Use case+
> We need to be able to authenticate an AD user against our IDP (Windows Active
> Directory).
> We can obtain a SAML assertion from our IDP, and then provide it to AWS STS
> to exchange it for AWS temporary credentials, thus authorising us to use AWS
> services.
> The AWS AssumeRoleWithSAML API is intended for this use case, and the Base
> AWS Hook should be updated to allow for this method of authentication.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
