Accessing an Amazon MWAA environment
To use Amazon Managed Workflows for Apache Airflow, you must use an account, and IAM entities with the necessary permissions. This topic describes the access policies you can attach to your Apache Airflow development team and Apache Airflow users for your Amazon Managed Workflows for Apache Airflow environment.
We recommend using temporary credentials and configuring federated identities with groups and roles, to access your Amazon MWAA resources. As a best practice, avoid attaching policies directly to your IAM users, and instead define groups or roles to provide temporary access to Amazon resources.
An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an Amazon identity with permissions policies that determine what the identity can and cannot do in Amazon. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.
To assign permissions to a federated identity, you create a role and define permissions for the role. When a federated identity authenticates, the identity is associated with the role and is granted the permissions that are defined by the role. For information about roles for federation, see Create a role for a third-party identity provider (federation) in the IAM User Guide.
You can use an IAM role in your account to grant another Amazon Web Services account permissions to access your account's resources. For an example, see Tutorial: Delegate access across Amazon Web Services accounts using IAM roles in the IAM User Guide.
Sections
- How it works
- Full console access policy: AmazonMWAAFullConsoleAccess
- Full API and console access policy: AmazonMWAAFullApiAccess
- Read-only console access policy: AmazonMWAAReadOnlyAccess
- Apache Airflow UI access policy: AmazonMWAAWebServerAccess
- Apache Airflow Rest API access policy: AmazonMWAARestAPIAccess
- Apache Airflow CLI policy: AmazonMWAAAirflowCliAccess
- Creating a JSON policy
- Example use case to attach policies to a developer group
- What's next?
How it works
The resources and services used in an Amazon MWAA environment are not accessible to all Amazon Identity and Access Management (IAM) entities. You must create a policy that grants Apache Airflow users permission to access these resources. For example, you need to grant access to your Apache Airflow development team.
Amazon MWAA uses these policies to validate whether a user has the permissions needed to perform an action on the Amazon console or via the APIs used by an environment.
You can use the JSON policies in this topic to create a policy for your Apache Airflow users in IAM, and then attach the policy to a user, group, or role in IAM.
-
AmazonMWAAFullConsoleAccess – Use this policy to grant permission to configure an environment on the Amazon MWAA console.
-
AmazonMWAAFullApiAccess – Use this policy to grant access to all Amazon MWAA APIs used to manage an environment.
-
AmazonMWAAReadOnlyAccess – Use this policy to grant access to to view the resources used by an environment on the Amazon MWAA console.
-
AmazonMWAAWebServerAccess – Use this policy to grant access to the Apache Airflow web server.
-
AmazonMWAAAirflowCliAccess – Use this policy to grant access to run Apache Airflow CLI commands.
To provide access, add permissions to your users, groups, or roles:
-
Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in Create a role for a third-party identity provider (federation) in the IAM User Guide.
-
IAM users:
-
Create a role that your user can assume. Follow the instructions in Create a role for an IAM user in the IAM User Guide.
-
(Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in Adding permissions to a user (console) in the IAM User Guide.
-
Full console access policy: AmazonMWAAFullConsoleAccess
A user may need access to the AmazonMWAAFullConsoleAccess
permissions policy if they need to configure an environment on the Amazon MWAA console.
Note
Your full console access policy must include permissions to perform iam:PassRole
. This allows the user to pass service-linked roles, and
execution roles, to Amazon MWAA. Amazon MWAA assumes each role in order to call other Amazon services on your behalf.
The following example uses the iam:PassedToService
condition key to specify the Amazon MWAA service principal (airflow.amazonaws.com
)
as the service to which a role can be passed.
For more information about iam:PassRole
, see
Granting a user permissions to pass a role to an Amazon service in the
IAM User Guide.
Use the following policy if you want to create, and manage, your Amazon MWAA environments using an Amazon owned key for encryption at-rest.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"airflow:*", "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":"*", "Condition":{ "StringLike":{ "iam:PassedToService":"airflow.amazonaws.com" } } }, { "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:CreatePolicy" ], "Resource":"arn:aws:iam::
YOUR_ACCOUNT_ID
:policy/service-role/MWAA-Execution-Policy*" }, { "Effect":"Allow", "Action":[ "iam:AttachRolePolicy", "iam:CreateRole" ], "Resource":"arn:aws:iam::YOUR_ACCOUNT_ID
:role/service-role/AmazonMWAA*" }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA" }, { "Effect":"Allow", "Action":[ "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "s3:CreateBucket", "s3:PutObject", "s3:GetEncryptionConfiguration" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeRouteTables" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup" ], "Resource":"arn:aws:ec2:*:*:security-group/airflow-security-group-*" }, { "Effect":"Allow", "Action":[ "kms:ListAliases" ], "Resource":"*" }, { "Effect":"Allow", "Action":"ec2:CreateVpcEndpoint", "Resource":[ "arn:aws:ec2:*:*:vpc-endpoint/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateNetworkInterface" ], "Resource":[ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*" ] } ] }
Use the following policy if you want to create, and manage, your Amazon MWAA environments using a customer managed key for encryption at-rest. To use a customer managed key, the IAM principal must have permission to access Amazon KMS resources using the key stored in your account.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"airflow:*", "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":"*", "Condition":{ "StringLike":{ "iam:PassedToService":"airflow.amazonaws.com" } } }, { "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:CreatePolicy" ], "Resource":"arn:aws:iam::
YOUR_ACCOUNT_ID
:policy/service-role/MWAA-Execution-Policy*" }, { "Effect":"Allow", "Action":[ "iam:AttachRolePolicy", "iam:CreateRole" ], "Resource":"arn:aws:iam::YOUR_ACCOUNT_ID
:role/service-role/AmazonMWAA*" }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA" }, { "Effect":"Allow", "Action":[ "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "s3:CreateBucket", "s3:PutObject", "s3:GetEncryptionConfiguration" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeRouteTables" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup" ], "Resource":"arn:aws:ec2:*:*:security-group/airflow-security-group-*" }, { "Effect":"Allow", "Action":[ "kms:ListAliases" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "kms:DescribeKey", "kms:ListGrants", "kms:CreateGrant", "kms:RevokeGrant", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*", "kms:ReEncrypt*" ], "Resource":"arn:aws:kms:*:YOUR_ACCOUNT_ID
:key/YOUR_KMS_ID
" }, { "Effect":"Allow", "Action":"ec2:CreateVpcEndpoint", "Resource":[ "arn:aws:ec2:*:*:vpc-endpoint/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateNetworkInterface" ], "Resource":[ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*" ] } ] }
Full API and console access policy: AmazonMWAAFullApiAccess
A user may need access to the AmazonMWAAFullApiAccess
permissions policy if they need access to all Amazon MWAA APIs used to manage an environment. It does not grant permissions to access the Apache Airflow UI.
Note
A full API access policy must include permissions to perform iam:PassRole
. This allows the user to pass service-linked roles, and
execution roles, to Amazon MWAA. Amazon MWAA assumes each role in order to call other Amazon services on your behalf.
The following example uses the iam:PassedToService
condition key to specify the Amazon MWAA service principal (airflow.amazonaws.com
)
as the service to which a role can be passed.
For more information about iam:PassRole
, see
Granting a user permissions to pass a role to an Amazon service in the
IAM User Guide.
Use the following policy if you want to create, and manage, your Amazon MWAA environments using an Amazon owned key for encryption at-rest.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"airflow:*", "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":"*", "Condition":{ "StringLike":{ "iam:PassedToService":"airflow.amazonaws.com" } } }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeRouteTables" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "s3:GetEncryptionConfiguration" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":"ec2:CreateVpcEndpoint", "Resource":[ "arn:aws:ec2:*:*:vpc-endpoint/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateNetworkInterface" ], "Resource":[ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*" ] } ] }
Use the following policy if you want to create, and manage, your Amazon MWAA environments using a customer managed key for encryption at-rest. To use a customer managed key, the IAM principal must have permission to access Amazon KMS resources using the key stored in your account.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"airflow:*", "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":"*", "Condition":{ "StringLike":{ "iam:PassedToService":"airflow.amazonaws.com" } } }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeRouteTables" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "kms:DescribeKey", "kms:ListGrants", "kms:CreateGrant", "kms:RevokeGrant", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*", "kms:ReEncrypt*" ], "Resource":"arn:aws:kms:*:
:key/
YOUR_ACCOUNT_ID
" }, { "Effect":"Allow", "Action":[ "s3:GetEncryptionConfiguration" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":"ec2:CreateVpcEndpoint", "Resource":[ "arn:aws:ec2:*:*:vpc-endpoint/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateNetworkInterface" ], "Resource":[ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*" ] } ] }
YOUR_KMS_ID
Read-only console access policy: AmazonMWAAReadOnlyAccess
A user may need access to the AmazonMWAAReadOnlyAccess
permissions policy if they need to view the resources used by an environment on the Amazon MWAA console environment details page. It doesn't allow a user to create new environments, edit existing environments, or allow a user to view the Apache Airflow UI.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "airflow:ListEnvironments", "airflow:GetEnvironment", "airflow:ListTagsForResource" ], "Resource": "*" } ] }
Apache Airflow UI access policy: AmazonMWAAWebServerAccess
A user may need access to the AmazonMWAAWebServerAccess
permissions policy if they need to access the Apache Airflow UI. It does not allow the user to view environments on the Amazon MWAA console or use the Amazon MWAA APIs to perform any actions. Specify the Admin
, Op
, User
, Viewer
or the Public
role in {airflow-role}
to customize the level of access for the user of the web token. For more information, see Default Roles
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "airflow:CreateWebLoginToken", "Resource": [ "arn:aws:airflow:
{your-region}
::role/
YOUR_ACCOUNT_ID
{your-environment-name}
/{airflow-role}
" ] } ] }
Note
-
Amazon MWAA provides IAM integration with the five default Apache Airflow role-based access control (RBAC) roles
. For more information on working with custom Apache Airflow roles, see Tutorial: Restricting an Amazon MWAA user's access to a subset of DAGs. -
The
Resource
field in this policy could be used to specify the Apache Airflow role-based access control roles for the Amazon MWAA environment. However, it does not support the Amazon MWAA environment ARN (Amazon Resource Name) in theResource
field of the policy.
Apache Airflow Rest API access policy: AmazonMWAARestAPIAccess
To access the Apache Airflow REST API, you must grant the airflow:InvokeRestApi
permission in your IAM policy. In the following policy sample, specify the
Admin
, Op
, User
, Viewer
or the
Public
role in {airflow-role}
to customize the level of
user access. For more information, see Default Roles
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowMwaaRestApiAccess", "Effect": "Allow", "Action": "airflow:InvokeRestApi", "Resource": [ "arn:aws:airflow:{your-region}:YOUR_ACCOUNT_ID:role/{your-environment-name}/{airflow-role}" ] } ] }
Note
While configuring a private web server, the
InvokeRestApi
action cannot be invoked from outside of a Virtual Private Cloud (VPC). You can use theaws:SourceVpc
key to apply more granular access control for this operation. For more information, see aws:SourceVpc-
The
Resource
field in this policy could be used to specify the Apache Airflow role-based access control roles for the Amazon MWAA environment. However, it does not support the Amazon MWAA environment ARN (Amazon Resource Name) in theResource
field of the policy.
Apache Airflow CLI policy: AmazonMWAAAirflowCliAccess
A user may need access to the AmazonMWAAAirflowCliAccess
permissions policy if they need to run Apache Airflow CLI commands (such as trigger_dag
). It does not allow the user to view environments on the Amazon MWAA console or use the Amazon MWAA APIs to perform any actions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "airflow:CreateCliToken" ], "Resource": "arn:aws:airflow:${Region}:${Account}:environment/${EnvironmentName}" } ] }
Creating a JSON policy
You can create the JSON policy, and attach the policy to your user, role, or group on the IAM console. The following steps describe how to create a JSON policy in IAM.
To create the JSON policy
-
Open the Policies page
on the IAM console. -
Choose Create policy.
-
Choose the JSON tab.
-
Add your JSON policy.
-
Choose Review policy.
-
Enter a value in the text field for Name and Description (optional).
For example, you could name the policy
AmazonMWAAReadOnlyAccess
. -
Choose Create policy.
Example use case to attach policies to a developer group
Let's say you're using a group in IAM named AirflowDevelopmentGroup
to apply permissions to all of the developers on your Apache Airflow development team. These users need access to the AmazonMWAAFullConsoleAccess
, AmazonMWAAAirflowCliAccess
, and AmazonMWAAWebServerAccess
permission policies. This section describes how to create a group in IAM, create and attach these policies, and associate the group to an IAM user. The steps assume you're using an Amazon owned key.
To create the AmazonMWAAFullConsoleAccess policy
-
Download the AmazonMWAAFullConsoleAccess access policy.
-
Open the Policies page
on the IAM console. -
Choose Create policy.
-
Choose the JSON tab.
-
Paste the JSON policy for
AmazonMWAAFullConsoleAccess
. -
Substitute the following values:
-
{your-account-id}
– Your Amazon account ID (such as0123456789
) -
{your-kms-id}
– The unique identifer for a customer managed key, applicable only if you use a customer managed key for encryption at-rest.
-
-
Choose the Review policy.
-
Type
AmazonMWAAFullConsoleAccess
in Name. -
Choose Create policy.
To create the AmazonMWAAWebServerAccess policy
-
Download the AmazonMWAAWebServerAccess access policy.
-
Open the Policies page
on the IAM console. -
Choose Create policy.
-
Choose the JSON tab.
-
Paste the JSON policy for
AmazonMWAAWebServerAccess
. -
Substitute the following values:
-
{your-region}
– the region of your Amazon MWAA environment (such asus-east-1
) -
{your-account-id}
– your Amazon account ID (such as0123456789
) -
{your-environment-name}
– your Amazon MWAA environment name (such asMyAirflowEnvironment
) -
{airflow-role}
– theAdmin
Apache Airflow Default Role
-
-
Choose Review policy.
-
Type
AmazonMWAAWebServerAccess
in Name. -
Choose Create policy.
To create the AmazonMWAAAirflowCliAccess policy
-
Download the AmazonMWAAAirflowCliAccess access policy.
-
Open the Policies page
on the IAM console. -
Choose Create policy.
-
Choose the JSON tab.
-
Paste the JSON policy for
AmazonMWAAAirflowCliAccess
. -
Choose the Review policy.
-
Type
AmazonMWAAAirflowCliAccess
in Name. -
Choose Create policy.
To create the group
-
Open the Groups page
on the IAM console. -
Type a name of
AirflowDevelopmentGroup
. -
Choose Next Step.
-
Type
AmazonMWAA
to filter results in Filter. -
Select the three policies you created.
-
Choose Next Step.
-
Choose Create Group.
To associate to a user
-
Open the Users page
on the IAM console. -
Choose a user.
-
Choose Groups.
-
Choose Add user to groups.
-
Select the AirflowDevelopmentGroup.
-
Choose Add to Groups.
What's next?
-
Learn how to generate a token to access the Apache Airflow UI in Accessing Apache Airflow.
-
Learn more about creating IAM policies in Creating IAM policies.