[
https://issues.apache.org/jira/browse/AIRFLOW-2807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16560780#comment-16560780
]
ASF subversion and git services commented on AIRFLOW-2807:
----------------------------------------------------------
Commit 449a7fd1b72639f1eb2bbeb033e1642e8eaac96c in incubator-airflow's branch
refs/heads/master from [~vvondra]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=449a7fd ]
[AIRFLOW-2807] Support STS Assume Role External ID
Currently the role assumption method works only if
the granting account
does not specify an External ID. The external ID
is used to solved the
confused deputy problem. When using the AWS hook
to export data to
multiple customers, it's good security practice to
use the external ID.
There is no backwards compatibility break, the ID
will be `None` in
existing cases. Moto doesn't provide any
convenient way to verify the
value was passed in the credential response in
tests, so existing
test cases are kept.
Documentation: https://docs.aws.amazon.com/IAM/lat
est/UserGuide/id_roles_create_for-
user_externalid.html
Closes #3647 from vvondra/support_sts_external_id
> Add support for External ID when using STS Assume Role
> ------------------------------------------------------
>
> Key: AIRFLOW-2807
> URL: https://issues.apache.org/jira/browse/AIRFLOW-2807
> Project: Apache Airflow
> Issue Type: Improvement
> Components: aws, boto3, hooks
> Affects Versions: 1.10.1
> Reporter: Vojtech Vondra
> Priority: Minor
> Fix For: 2.0.0
>
>
> Currently the role assumption method works only if the granting account does
> not specify an External ID. The external ID is used to solved the confused
> deputy problem. When using the AWS hook to export data to multiple customers,
> it's good security practice to use the external ID.
> Documentation:
> https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
