mik-laj opened a new issue #9873: URL: https://github.com/apache/airflow/issues/9873
Hello, We can use [OpenID Connect Federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) in [AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) to be able to use Google identity credentials to access AWS services. If we obtain identity credentials using the Google metaserver, we will not have to use any long-lived authorization data. This will increase security. In case of leakage of temporary credentials, their use is limited. This sample shows how to make authenticated calls to AWS APIs from Google Cloud This is a sample flow:  Requirements: 1. The flow shows the usage of the S3 service, but it should be possible to use any AWS service. 1. The flow shows how to get a token using the metaserver, but we should also support other methods of getting ID tokens. a) service account in connection (path/dict) b) environment variable c) gcloud tool credentials (service account/stored authorized user credential) d) meta server 1. Tokens should be automatically refreshed in both libraries - boto and google-auth I would also be happy if we had comprehensive documentation. Together with terraform scripts at best. This is a feature that is not described often because AWS doesn't want to describe GCP services and AWS doesn't want to describe Google services. The exact example certainly helped to understand these features. To implement token refresh for AWS, this article can help. https://dev.to/li_chastina/auto-refresh-aws-tokens-using-iam-role-and-boto3-2cjf In the case of GCP, the problem will be many methods of creating a token, but I will be happy to share the code if anyone wants to implement it. More information: https://github.com/shrikant0013/gcp-aws-webidentityfederation https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts.html#STS.Client.assume_role_with_web_identity ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
