Bjorn Olsen created AIRFLOW-6975:
------------------------------------
Summary: Base AWSHook AssumeRoleWithSAML
Key: AIRFLOW-6975
URL: https://issues.apache.org/jira/browse/AIRFLOW-6975
Project: Apache Airflow
Issue Type: Improvement
Components: aws
Affects Versions: 1.10.9
Reporter: Bjorn Olsen
Assignee: Bjorn Olsen
Base AWS Hook currently does AssumeRole but we require it to additionally be
able to do AssumeRoleWithSAML.
+Current+
[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerole]
The AssumeRole API operation is useful for allowing existing IAM users to
access AWS resources that they don't already have access to.
(This requires an AWS IAM user)
+Proposed addition+
[https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithsaml]
The AssumeRoleWithSAML API operation returns a set of temporary security
credentials for federated users who are authenticated by your organization's
existing identity system.
(This allows federated login using another IDP rather than requiring an AWS IAM
user).
+Use case+
We need to be able to authenticate an AD user against our IDP (Windows Active
Directory).
We can obtain a SAML assertion from our IDP, and then provide it to AWS STS to
exchange it for AWS temporary credentials, thus authorising us to use AWS
services.
The AWS AssumeRoleWithSAML API is intended for this use case, and the Base AWS
Hook should be updated to allow for this method of authentication.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
