[ https://issues.apache.org/jira/browse/AIRFLOW-2807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16560780#comment-16560780 ]
ASF subversion and git services commented on AIRFLOW-2807: ---------------------------------------------------------- Commit 449a7fd1b72639f1eb2bbeb033e1642e8eaac96c in incubator-airflow's branch refs/heads/master from [~vvondra] [ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=449a7fd ] [AIRFLOW-2807] Support STS Assume Role External ID Currently the role assumption method works only if the granting account does not specify an External ID. The external ID is used to solved the confused deputy problem. When using the AWS hook to export data to multiple customers, it's good security practice to use the external ID. There is no backwards compatibility break, the ID will be `None` in existing cases. Moto doesn't provide any convenient way to verify the value was passed in the credential response in tests, so existing test cases are kept. Documentation: https://docs.aws.amazon.com/IAM/lat est/UserGuide/id_roles_create_for- user_externalid.html Closes #3647 from vvondra/support_sts_external_id > Add support for External ID when using STS Assume Role > ------------------------------------------------------ > > Key: AIRFLOW-2807 > URL: https://issues.apache.org/jira/browse/AIRFLOW-2807 > Project: Apache Airflow > Issue Type: Improvement > Components: aws, boto3, hooks > Affects Versions: 1.10.1 > Reporter: Vojtech Vondra > Priority: Minor > Fix For: 2.0.0 > > > Currently the role assumption method works only if the granting account does > not specify an External ID. The external ID is used to solved the confused > deputy problem. When using the AWS hook to export data to multiple customers, > it's good security practice to use the external ID. > Documentation: > https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html -- This message was sent by Atlassian JIRA (v7.6.3#76005)