Key considerations for migrating to a new MWAA environment
Learn more about key considerations, such as authentication and the Amazon MWAA execution role, as you plan to migrate your Apache Airflow workloads to Amazon MWAA.
Authentication
Amazon MWAA uses Amazon Identity and Access Management (IAM) to control access to the Apache Airflow UI. You must create and manage IAM policies that grant your Apache Airflow users permission to access the web server and manage DAGs.
You can manage both authentication and authorization for Apache Airflow's default roles
You can further manage and restrict Apache Airflow users to access only a subset of your workflow DAGs by creating custom Airflow roles and mapping them to your IAM principals. For more information and a step-by-step tutorial, see Tutorial: Restricting an Amazon MWAA user's access to a subset of DAGs.
You can also configure federated identities to access Amazon MWAA. For more information see the following.
-
Amazon MWAA environment with public access — Using Okta as an identity provider with Amazon MWAA
on the Amazon Compute Blog. -
Amazon MWAA environment with private access — Accessing a private Amazon MWAA environment using federated identities
.
Execution role
Amazon MWAA uses an execution role that grants permissions to your environment to access other Amazon services. You can provide your workflow with access to Amazon services by adding the relevant permissions to the role. If you choose the default option to create a new execution role when you first create the environment, Amazon MWAA attaches the minimal permissions needed to the role, except in the case of CloudWatch Logs for which Amazon MWAA adds all log groups automatically.
Once the execution role is created, Amazon MWAA cannot manage its permission policies on your behalf. To update the execution role, you must edit the policy to add and remove permissions as needed. For example, you can integrate your Amazon MWAA environment with Amazon Secrets Manager as a backend to securely store secrets and connection strings to use in your Apache Airflow workflows. To do so, attach the following permission policy to your environment's execution role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetResourcePolicy", "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret", "secretsmanager:ListSecretVersionIds" ], "Resource": "arn:aws:secretsmanager:us-west-2:012345678910:secret:*" }, { "Effect": "Allow", "Action": "secretsmanager:ListSecrets", "Resource": "*" } ] }
Integrating with other Amazon services follows a similar pattern: you add the relevant permission policy to your Amazon MWAA execution role, granting permission to Amazon MWAA to access the service. For more information about managing the Amazon MWAA execution role, and to see additional examples, visit Amazon MWAA execution role in the Amazon MWAA User Guide.