Accessing an Amazon MWAA environment - Amazon Managed Workflows for Apache Airflow

Accessing an Amazon MWAA environment

To use Amazon Managed Workflows for Apache Airflow, you must use an account, and IAM entities with the necessary permissions. This topic describes the access policies you can attach to your Apache Airflow development team and Apache Airflow users for your Amazon Managed Workflows for Apache Airflow environment.

We recommend using temporary credentials and configuring federated identities with groups and roles, to access your Amazon MWAA resources. As a best practice, avoid attaching policies directly to your IAM users, and instead define groups or roles to provide temporary access to AWS resources.

An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.

To assign permissions to a federated identity, you create a role and define permissions for the role. When a federated identity authenticates, the identity is associated with the role and is granted the permissions that are defined by the role. For information about roles for federation, see Create a role for a third-party identity provider (federation) in the IAM User Guide. If you use IAM Identity Center, you configure a permission set. To control what your identities can access after they authenticate, IAM Identity Center correlates the permission set to a role in IAM. For information about permissions sets, see Permission sets in the AWS IAM Identity Center User Guide.

You can use an IAM role in your account to grant another AWS account permissions to access your account's resources. For an example, see Tutorial: Delegate access across AWS accounts using IAM roles in the IAM User Guide.

How it works

The resources and services used in an Amazon MWAA environment are not accessible to all AWS Identity and Access Management (IAM) entities. You must create a policy that grants Apache Airflow users permission to access these resources. For example, you need to grant access to your Apache Airflow development team.

Amazon MWAA uses these policies to validate whether a user has the permissions needed to perform an action on the AWS console or via the APIs used by an environment.

You can use the JSON policies in this topic to create a policy for your Apache Airflow users in IAM, and then attach the policy to a user, group, or role in IAM.

To provide access, add permissions to your users, groups, or roles:

Full console access policy: AmazonMWAAFullConsoleAccess

A user may need access to the AmazonMWAAFullConsoleAccess permissions policy if they need to configure an environment on the Amazon MWAA console.

Note

Your full console access policy must include permissions to perform iam:PassRole. This allows the user to pass service-linked roles, and execution roles, to Amazon MWAA. Amazon MWAA assumes each role in order to call other AWS services on your behalf. The following example uses the iam:PassedToService condition key to specify the Amazon MWAA service principal (airflow.amazonaws.com) as the service to which a role can be passed.

For more information about iam:PassRole, see Granting a user permissions to pass a role to an AWS service in the IAM User Guide.

Use the following policy if you want to create, and manage, your Amazon MWAA environments using an AWS owned key for encryption at-rest.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"airflow:*", "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":"*", "Condition":{ "StringLike":{ "iam:PassedToService":"airflow.amazonaws.com" } } }, { "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:CreatePolicy" ], "Resource":"arn:aws:iam::YOUR_ACCOUNT_ID:policy/service-role/MWAA-Execution-Policy*" }, { "Effect":"Allow", "Action":[ "iam:AttachRolePolicy", "iam:CreateRole" ], "Resource":"arn:aws:iam::YOUR_ACCOUNT_ID:role/service-role/AmazonMWAA*" }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA" }, { "Effect":"Allow", "Action":[ "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "s3:CreateBucket", "s3:PutObject", "s3:GetEncryptionConfiguration" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeRouteTables" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup" ], "Resource":"arn:aws:ec2:*:*:security-group/airflow-security-group-*" }, { "Effect":"Allow", "Action":[ "kms:ListAliases" ], "Resource":"*" }, { "Effect":"Allow", "Action":"ec2:CreateVpcEndpoint", "Resource":[ "arn:aws:ec2:*:*:vpc-endpoint/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateNetworkInterface" ], "Resource":[ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*" ] } ] }

Use the following policy if you want to create, and manage, your Amazon MWAA environments using a customer managed key for encryption at-rest. To use a customer managed key, the IAM principal must have permission to access AWS KMS resources using the key stored in your account.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"airflow:*", "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":"*", "Condition":{ "StringLike":{ "iam:PassedToService":"airflow.amazonaws.com" } } }, { "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:CreatePolicy" ], "Resource":"arn:aws:iam::YOUR_ACCOUNT_ID:policy/service-role/MWAA-Execution-Policy*" }, { "Effect":"Allow", "Action":[ "iam:AttachRolePolicy", "iam:CreateRole" ], "Resource":"arn:aws:iam::YOUR_ACCOUNT_ID:role/service-role/AmazonMWAA*" }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA" }, { "Effect":"Allow", "Action":[ "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "s3:CreateBucket", "s3:PutObject", "s3:GetEncryptionConfiguration" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeRouteTables" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup" ], "Resource":"arn:aws:ec2:*:*:security-group/airflow-security-group-*" }, { "Effect":"Allow", "Action":[ "kms:ListAliases" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "kms:DescribeKey", "kms:ListGrants", "kms:CreateGrant", "kms:RevokeGrant", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*", "kms:ReEncrypt*" ], "Resource":"arn:aws:kms:*:YOUR_ACCOUNT_ID:key/YOUR_KMS_ID" }, { "Effect":"Allow", "Action":"ec2:CreateVpcEndpoint", "Resource":[ "arn:aws:ec2:*:*:vpc-endpoint/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateNetworkInterface" ], "Resource":[ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*" ] } ] }

Full API and console access policy: AmazonMWAAFullApiAccess

A user may need access to the AmazonMWAAFullApiAccess permissions policy if they need access to all Amazon MWAA APIs used to manage an environment. It does not grant permissions to access the Apache Airflow UI.

Note

A full API access policy must include permissions to perform iam:PassRole. This allows the user to pass service-linked roles, and execution roles, to Amazon MWAA. Amazon MWAA assumes each role in order to call other AWS services on your behalf. The following example uses the iam:PassedToService condition key to specify the Amazon MWAA service principal (airflow.amazonaws.com) as the service to which a role can be passed.

For more information about iam:PassRole, see Granting a user permissions to pass a role to an AWS service in the IAM User Guide.

Use the following policy if you want to create, and manage, your Amazon MWAA environments using an AWS owned key for encryption at-rest.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"airflow:*", "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":"*", "Condition":{ "StringLike":{ "iam:PassedToService":"airflow.amazonaws.com" } } }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeRouteTables" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "s3:GetEncryptionConfiguration" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":"ec2:CreateVpcEndpoint", "Resource":[ "arn:aws:ec2:*:*:vpc-endpoint/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateNetworkInterface" ], "Resource":[ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*" ] } ] }

Use the following policy if you want to create, and manage, your Amazon MWAA environments using a customer managed key for encryption at-rest. To use a customer managed key, the IAM principal must have permission to access AWS KMS resources using the key stored in your account.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"airflow:*", "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":"*", "Condition":{ "StringLike":{ "iam:PassedToService":"airflow.amazonaws.com" } } }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeRouteTables" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "kms:DescribeKey", "kms:ListGrants", "kms:CreateGrant", "kms:RevokeGrant", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*", "kms:ReEncrypt*" ], "Resource":"arn:aws:kms:*:YOUR_ACCOUNT_ID:key/YOUR_KMS_ID" }, { "Effect":"Allow", "Action":[ "s3:GetEncryptionConfiguration" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":"ec2:CreateVpcEndpoint", "Resource":[ "arn:aws:ec2:*:*:vpc-endpoint/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateNetworkInterface" ], "Resource":[ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*" ] } ] }

Read-only console access policy: AmazonMWAAReadOnlyAccess

A user may need access to the AmazonMWAAReadOnlyAccess permissions policy if they need to view the resources used by an environment on the Amazon MWAA console environment details page. It doesn't allow a user to create new environments, edit existing environments, or allow a user to view the Apache Airflow UI.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "airflow:ListEnvironments", "airflow:GetEnvironment", "airflow:ListTagsForResource" ], "Resource": "*" } ] }

Apache Airflow UI access policy: AmazonMWAAWebServerAccess

A user may need access to the AmazonMWAAWebServerAccess permissions policy if they need to access the Apache Airflow UI. It does not allow the user to view environments on the Amazon MWAA console or use the Amazon MWAA APIs to perform any actions. Specify the Admin, Op, User, Viewer or the Public role in {airflow-role} to customize the level of access for the user of the web token. For more information, see Default Roles in the Apache Airflow reference guide.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "airflow:CreateWebLoginToken", "Resource": [ "arn:aws:airflow:{your-region}:YOUR_ACCOUNT_ID:role/{your-environment-name}/{airflow-role}" ] } ] }
Note

Apache Airflow Rest API access policy: AmazonMWAARestAPIAccess

To access the Apache Airflow REST API, you must grant the airflow:InvokeRestApi permission in your IAM policy. In the following policy sample, specify the Admin, Op, User, Viewer or the Public role in {airflow-role} to customize the level of user access. For more information, see Default Roles in the Apache Airflow reference guide.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowMwaaRestApiAccess", "Effect": "Allow", "Action": "airflow:InvokeRestApi", "Resource": [ "arn:aws:airflow:{your-region}:YOUR_ACCOUNT_ID:role/{your-environment-name}/{airflow-role}" ] } ] }
Note
  • While configuring a private web server, the InvokeRestApi action cannot be invoked from outside of a Virtual Private Cloud (VPC). You can use the aws:SourceVpc key to apply more granular access control for this operation. For more information, see aws:SourceVpc

  • The Resource field in this policy could be used to specify the Apache Airflow role-based access control roles for the Amazon MWAA environment. However, it does not support the Amazon MWAA environment ARN (Amazon Resource Name) in the Resource field of the policy.

Apache Airflow CLI policy: AmazonMWAAAirflowCliAccess

A user may need access to the AmazonMWAAAirflowCliAccess permissions policy if they need to run Apache Airflow CLI commands (such as trigger_dag). It does not allow the user to view environments on the Amazon MWAA console or use the Amazon MWAA APIs to perform any actions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "airflow:CreateCliToken" ], "Resource": "arn:aws:airflow:${Region}:${Account}:environment/${EnvironmentName}" } ] }

Creating a JSON policy

You can create the JSON policy, and attach the policy to your user, role, or group on the IAM console. The following steps describe how to create a JSON policy in IAM.

To create the JSON policy
  1. Open the Policies page on the IAM console.

  2. Choose Create policy.

  3. Choose the JSON tab.

  4. Add your JSON policy.

  5. Choose Review policy.

  6. Enter a value in the text field for Name and Description (optional).

    For example, you could name the policy AmazonMWAAReadOnlyAccess.

  7. Choose Create policy.

Example use case to attach policies to a developer group

Let's say you're using a group in IAM named AirflowDevelopmentGroup to apply permissions to all of the developers on your Apache Airflow development team. These users need access to the AmazonMWAAFullConsoleAccess, AmazonMWAAAirflowCliAccess, and AmazonMWAAWebServerAccess permission policies. This section describes how to create a group in IAM, create and attach these policies, and associate the group to an IAM user. The steps assume you're using an AWS owned key.

To create the AmazonMWAAFullConsoleAccess policy
  1. Download the AmazonMWAAFullConsoleAccess access policy.

  2. Open the Policies page on the IAM console.

  3. Choose Create policy.

  4. Choose the JSON tab.

  5. Paste the JSON policy for AmazonMWAAFullConsoleAccess.

  6. Substitute the following values:

    1. {your-account-id} – Your AWS account ID (such as 0123456789)

    2. {your-kms-id} – The unique identifer for a customer managed key, applicable only if you use a customer managed key for encryption at-rest.

  7. Choose the Review policy.

  8. Type AmazonMWAAFullConsoleAccess in Name.

  9. Choose Create policy.

To create the AmazonMWAAWebServerAccess policy
  1. Download the AmazonMWAAWebServerAccess access policy.

  2. Open the Policies page on the IAM console.

  3. Choose Create policy.

  4. Choose the JSON tab.

  5. Paste the JSON policy for AmazonMWAAWebServerAccess.

  6. Substitute the following values:

    1. {your-region} – the region of your Amazon MWAA environment (such as us-east-1)

    2. {your-account-id} – your AWS account ID (such as 0123456789)

    3. {your-environment-name} – your Amazon MWAA environment name (such as MyAirflowEnvironment)

    4. {airflow-role} – the Admin Apache Airflow Default Role

  7. Choose Review policy.

  8. Type AmazonMWAAWebServerAccess in Name.

  9. Choose Create policy.

To create the AmazonMWAAAirflowCliAccess policy
  1. Download the AmazonMWAAAirflowCliAccess access policy.

  2. Open the Policies page on the IAM console.

  3. Choose Create policy.

  4. Choose the JSON tab.

  5. Paste the JSON policy for AmazonMWAAAirflowCliAccess.

  6. Choose the Review policy.

  7. Type AmazonMWAAAirflowCliAccess in Name.

  8. Choose Create policy.

To create the group
  1. Open the Groups page on the IAM console.

  2. Type a name of AirflowDevelopmentGroup.

  3. Choose Next Step.

  4. Type AmazonMWAA to filter results in Filter.

  5. Select the three policies you created.

  6. Choose Next Step.

  7. Choose Create Group.

To associate to a user
  1. Open the Users page on the IAM console.

  2. Choose a user.

  3. Choose Groups.

  4. Choose Add user to groups.

  5. Select the AirflowDevelopmentGroup.

  6. Choose Add to Groups.

What's next?