NiFi supports SAML and OIDC for SSO so you could use AWS Cognito or another identity management solution like Keycloak but NiFi itself doesn’t support IAM authentication like AWS RDS and OpenSearch do.
Thanks Shawn On Mar 17, 2023, at 9:51 AM, James McMahon <[email protected]> wrote: Hello. We run nifi on an AWS EC2 instance. I currently employ certs for nifi user authentication. The CA is in our nifi truststore. Users install certs issued by the CA in their browsers. I've set up a parsing pattern in nifi.properties to extract user identities from the CN of the cert, and I employ those user identities to compare against entries in nifi policies and nifi groups to authorize what each user is entitled to do within nifi. My team lead has asked whether we can replace the CA and certificates dependency with AWS IAM, and it is not clear to me that such a change would be possible. Can anyone refer me to a guide that shows whether IAM can supplant authentication to NiFi by cert and authorization by IAM identity against nifi user and group policies? It seems to me that IAM is ideal for identity and access management to AWS resources. For example, we can set up roles to permit and control access to S3 buckets, or to control access to services like AWS Lambda. But IAM is not intended to be used as a CA or as an authorization mechanism to/within nifi. Am I mistaken? Thank you in advance.
