# Accessing an Amazon MWAA environment
To use Amazon Managed Workflows for Apache Airflow, you must use an account and IAM entities with the necessary permissions. This topic describes the access policies you can attach to your Apache Airflow development team and Apache Airflow users for your Amazon Managed Workflows for Apache Airflow environment.
We recommend using temporary credentials and configuring federated identities with groups and roles to access your Amazon MWAA resources. As a best practice, avoid attaching policies directly to your IAM users. Instead, define groups or roles to provide temporary access to Amazon resources.
An [IAM role](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles.html) is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an Amazon identity with permissions policies that determine what the identity can and cannot do in Amazon. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.
To assign permissions to a federated identity, you create a role and define permissions for the role. When a federated identity authenticates, the identity is associated with the role and is granted the permissions that are defined by the role. For information about roles for federation, see [ Create a role for a third-party identity provider (federation)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
You can use an IAM role in your account to grant another Amazon Web Services account permissions to access your account's resources. For an example, see [IAM tutorial: Delegate access across Amazon Web Services accounts using IAM roles](https://docs.amazonaws.cn/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html) in the *IAM User Guide*.
**Topics**
+ [How it works](#access-policies-how)
+ [Full console access policy: AmazonMWAAFullConsoleAccess](#console-full-access)
+ [Full API and console access policy: AmazonMWAAFullApiAccess](#full-access-policy)
+ [Read-only console access policy: AmazonMWAAReadOnlyAccess](#mwaa-read-only)
+ [Apache Airflow UI access policy: AmazonMWAAWebServerAccess](#web-ui-access)
+ [Apache Airflow Rest API access policy: AmazonMWAARestAPIAccess](#rest-api-access)
+ [Apache Airflow CLI policy: AmazonMWAAAirflowCliAccess](#cli-access)
+ [Creating a JSON policy](#access-policy-iam-console-create)
+ [Example use case to attach policies to a developer group](#access-policy-use-case)
+ [What's next?](#access-policy-next-up)
## How it works
The resources and services used in an Amazon MWAA environment are not accessible to all Amazon Identity and Access Management (IAM) entities. You must create a policy that grants Apache Airflow users permission to access these resources. For example, you need to grant access to your Apache Airflow development team.
Amazon MWAA uses these policies to validate whether a user has the permissions needed to perform an action on the Amazon console or through the APIs used by an environment.
You can use the JSON policies in this topic to create a policy for your Apache Airflow users in IAM, and then attach the policy to a user, group, or role in IAM.
+ [AmazonMWAAFullConsoleAccess](#console-full-access) – Use this policy to grant permission to configure an environment on the Amazon MWAA console.
+ [AmazonMWAAFullApiAccess](#full-access-policy) – Use this policy to grant access to all Amazon MWAA APIs used to manage an environment.
+ [AmazonMWAAReadOnlyAccess](#mwaa-read-only) – Use this policy to grant access to the resources used by an environment on the Amazon MWAA console.
+ [AmazonMWAAWebServerAccess](#web-ui-access) – Use this policy to grant access to the Apache Airflow webserver.
+ [AmazonMWAAAirflowCliAccess](#cli-access) – Use this policy to grant access to run Apache Airflow CLI commands.
To provide access, add permissions to your users, groups, or roles:
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.amazonaws.cn//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
## Full console access policy: AmazonMWAAFullConsoleAccess
A user might need access to the `AmazonMWAAFullConsoleAccess` permissions policy if they need to configure an environment on the Amazon MWAA console.
**Note**
Your full console access policy must include permissions to perform `iam:PassRole`. This allows the user to pass [service-linked roles](mwaa-slr.md), and [execution roles](mwaa-create-role.md), to Amazon MWAA. Amazon MWAA assumes each role to call other Amazon services on your behalf. The following example uses the `iam:PassedToService` condition key to specify the Amazon MWAA service principal (`airflow.amazonaws.com`) as the service to which a role can be passed.
For more information about `iam:PassRole`, refer to [Granting a user permissions to pass a role to an Amazon service](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_use_passrole.html) in the *IAM User Guide*.
Use the following policy if you want to create, and manage, your Amazon MWAA environments using an [Amazon owned key](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#aws-owned-cmk) for [encryption at-rest](encryption.md#encryption-at-rest).
### Using an Amazon owned key
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "airflow:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": "airflow.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreatePolicy"
],
"Resource": "arn:aws-cn:iam::111122223333:policy/service-role/MWAA-Execution-Policy*"
},
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole"
],
"Resource": "arn:aws-cn:iam::111122223333:role/service-role/AmazonMWAA*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws-cn:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA"
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutObject",
"s3:GetEncryptionConfiguration"
],
"Resource": "arn:aws-cn:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRouteTables"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup"
],
"Resource": "arn:aws-cn:ec2:*:*:security-group/airflow-security-group-*"
},
{
"Effect": "Allow",
"Action": [
"kms:ListAliases"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws-cn:ec2:*:*:vpc-endpoint/*",
"arn:aws-cn:ec2:*:*:vpc/*",
"arn:aws-cn:ec2:*:*:subnet/*",
"arn:aws-cn:ec2:*:*:security-group/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws-cn:ec2:*:*:subnet/*",
"arn:aws-cn:ec2:*:*:network-interface/*"
]
}
]
}
```
------
Use the following policy if you want to create, and manage, your Amazon MWAA environments using a [customer managed key](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#customer-cmk) for encryption at-rest. To use a customer managed key, the IAM principal must have permission to access Amazon KMS resources using the key stored in your account.
### Using a customer managed key
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "airflow:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": "airflow.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreatePolicy"
],
"Resource": "arn:aws-cn:iam::111122223333:policy/service-role/MWAA-Execution-Policy*"
},
{
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole"
],
"Resource": "arn:aws-cn:iam::111122223333:role/service-role/AmazonMWAA*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws-cn:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA"
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:PutObject",
"s3:GetEncryptionConfiguration"
],
"Resource": "arn:aws-cn:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRouteTables"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup"
],
"Resource": "arn:aws-cn:ec2:*:*:security-group/airflow-security-group-*"
},
{
"Effect": "Allow",
"Action": [
"kms:ListAliases"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ListGrants",
"kms:CreateGrant",
"kms:RevokeGrant",
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Resource": "arn:aws-cn:kms:*:111122223333:key/YOUR_KMS_ID"
},
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws-cn:ec2:*:*:vpc-endpoint/*",
"arn:aws-cn:ec2:*:*:vpc/*",
"arn:aws-cn:ec2:*:*:subnet/*",
"arn:aws-cn:ec2:*:*:security-group/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws-cn:ec2:*:*:subnet/*",
"arn:aws-cn:ec2:*:*:network-interface/*"
]
}
]
}
```
------
## Full API and console access policy: AmazonMWAAFullApiAccess
A user might need access to the `AmazonMWAAFullApiAccess` permissions policy if they need access to all Amazon MWAA APIs used to manage an environment. It does not grant permissions to access the Apache Airflow UI.
**Note**
A full API access policy must include permissions to perform `iam:PassRole`. This allows the user to pass [service-linked roles](mwaa-slr.md), and [execution roles](mwaa-create-role.md), to Amazon MWAA. Amazon MWAA assumes each role to call other Amazon services on your behalf. The following example uses the `iam:PassedToService` condition key to specify the Amazon MWAA service principal (`airflow.amazonaws.com`) as the service to which a role can be passed.
For more information about `iam:PassRole`, refer to [Granting a user permissions to pass a role to an Amazon service](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_use_passrole.html) in the *IAM User Guide*.
Use the following policy if you want to create, and manage, your Amazon MWAA environments using an Amazon owned key for encryption at-rest.
### Using an Amazon owned key
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"airflow:*",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":[
"iam:PassRole"
],
"Resource":"*",
"Condition":{
"StringLike":{
"iam:PassedToService":"airflow.amazonaws.com"
}
}
},
{
"Effect":"Allow",
"Action":[
"iam:CreateServiceLinkedRole"
],
"Resource":"arn:aws-cn:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA"
},
{
"Effect":"Allow",
"Action":[
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRouteTables"
],
"Resource":"*"
},
{
"Effect":"Allow",
"Action":[
"s3:GetEncryptionConfiguration"
],
"Resource":"arn:aws-cn:s3:::*"
},
{
"Effect":"Allow",
"Action":"ec2:CreateVpcEndpoint",
"Resource":[
"arn:aws-cn:ec2:*:*:vpc-endpoint/*",
"arn:aws-cn:ec2:*:*:vpc/*",
"arn:aws-cn:ec2:*:*:subnet/*",
"arn:aws-cn:ec2:*:*:security-group/*"
]
},
{
"Effect":"Allow",
"Action":[
"ec2:CreateNetworkInterface"
],
"Resource":[
"arn:aws-cn:ec2:*:*:subnet/*",
"arn:aws-cn:ec2:*:*:network-interface/*"
]
}
]
}
```
------
Use the following policy if you want to create, and manage, your Amazon MWAA environments using a customer managed key for encryption at-rest. To use a customer managed key, the IAM principal must have permission to access Amazon KMS resources using the key stored in your account.
### Using a customer managed key
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "airflow:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": "airflow.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws-cn:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeRouteTables"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:ListGrants",
"kms:CreateGrant",
"kms:RevokeGrant",
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
],
"Resource": "arn:aws-cn:kms:*:111122223333:key/YOUR_KMS_ID"
},
{
"Effect": "Allow",
"Action": [
"s3:GetEncryptionConfiguration"
],
"Resource": "arn:aws-cn:s3:::*"
},
{
"Effect": "Allow",
"Action": "ec2:CreateVpcEndpoint",
"Resource": [
"arn:aws-cn:ec2:*:*:vpc-endpoint/*",
"arn:aws-cn:ec2:*:*:vpc/*",
"arn:aws-cn:ec2:*:*:subnet/*",
"arn:aws-cn:ec2:*:*:security-group/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws-cn:ec2:*:*:subnet/*",
"arn:aws-cn:ec2:*:*:network-interface/*"
]
}
]
}
```
------
## Read-only console access policy: AmazonMWAAReadOnlyAccess
A user might need access to the `AmazonMWAAReadOnlyAccess` permissions policy if they need to access the resources used by an environment on the Amazon MWAA console environment details page. It doesn't allow a user to create new environments, edit existing environments, or allow a user to access the Apache Airflow UI.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"airflow:ListEnvironments",
"airflow:GetEnvironment",
"airflow:ListTagsForResource"
],
"Resource": "*"
}
]
}
```
------
## Apache Airflow UI access policy: AmazonMWAAWebServerAccess
A user might need access to the `AmazonMWAAWebServerAccess` permissions policy if they need to access the Apache Airflow UI. It does not allow the user to access environments on the Amazon MWAA console or use the Amazon MWAA APIs to perform any actions. Specify the `Admin`, `Op`, `User`, `Viewer` or the `Public` role in `{airflow-role}` to customize the level of access for the user of the web token. For more information, refer to [Default Roles](https://airflow.apache.org/docs/apache-airflow/1.10.6/security.html?highlight=ldap#default-roles) in the *Apache Airflow reference guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "airflow:CreateWebLoginToken",
"Resource": [
"arn:aws-cn:airflow:us-east-1:111122223333:role/{your-environment-name}/{airflow-role}"
]
}
]
}
```
------
**Note**
Amazon MWAA provides IAM integration with the five [default Apache Airflow role-based access control (RBAC) roles](https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html?highlight=roles). For more information about working with custom Apache Airflow roles, refer to [Tutorial: Restricting an Amazon MWAA user's access to a subset of DAGs](limit-access-to-dags.md).
The `Resource` field in this policy can be used to specify the Apache Airflow role-based access control roles for the Amazon MWAA environment. However, it does not support the Amazon MWAA environment ARN (Amazon Resource Name) in the `Resource` field of the policy.
## Apache Airflow Rest API access policy: AmazonMWAARestAPIAccess
To access the Apache Airflow REST API, you must grant the `airflow:InvokeRestApi` permission in your IAM policy. In the following policy sample, specify the `Admin`, `Op`, `User`, `Viewer` or the `Public` role in `{airflow-role}` to customize the level of user access. For more information, refer to [Default Roles](https://airflow.apache.org/docs/apache-airflow/1.10.6/security.html?highlight=ldap#default-roles) in the *Apache Airflow reference guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowMwaaRestApiAccess",
"Effect": "Allow",
"Action": "airflow:InvokeRestApi",
"Resource": [
"arn:aws-cn:airflow:us-east-1:111122223333:role/{your-environment-name}/{airflow-role}"
]
}
]
}
```
------
**Note**
While configuring a private webserver, the `InvokeRestApi` action cannot be invoked from outside of a Virtual Private Cloud (VPC). You can use the `aws:SourceVpc` key to apply more granular access control for this operation. For more information, refer to [aws:SourceVpc](https://docs.amazonaws.cn//IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcevpc)
The `Resource` field in this policy can be used to specify the Apache Airflow role-based access control roles for the Amazon MWAA environment. However, it does not support the Amazon MWAA environment ARN (Amazon Resource Name) in the `Resource` field of the policy.
## Apache Airflow CLI policy: AmazonMWAAAirflowCliAccess
A user might need access to the `AmazonMWAAAirflowCliAccess` permissions policy if they need to run Apache Airflow CLI commands (such as `trigger_dag`). It does not allow the user to access environments on the Amazon MWAA console or use the Amazon MWAA APIs to perform any actions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"airflow:CreateCliToken"
],
"Resource": "arn:aws-cn:airflow:us-east-1:111122223333:environment/${EnvironmentName}"
}
]
}
```
------
## Creating a JSON policy
You can create the JSON policy, and attach the policy to your user, role, or group on the IAM console. The following steps describe how to create a JSON policy in IAM.
**To create the JSON policy**
1. Open the [Policies page](https://console.amazonaws.cn/iam/home#/policies) on the IAM console.
1. Choose **Create policy**.
1. Choose the **JSON** tab.
1. Add your JSON policy.
1. Choose **Review policy**.
1. Enter a value in the text field for **Name** and **Description** (optional).
For example, you can name the policy `AmazonMWAAReadOnlyAccess`.
1. Choose **Create policy**.
## Example use case to attach policies to a developer group
Let's say you're using a group in IAM named `AirflowDevelopmentGroup` to apply permissions to all of the developers on your Apache Airflow development team. These users need access to the `AmazonMWAAFullConsoleAccess`, `AmazonMWAAAirflowCliAccess`, and `AmazonMWAAWebServerAccess` permission policies. This section describes how to create a group in IAM, create and attach these policies, and associate the group to an IAM user. The steps assume you're using an [Amazon-owned key](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#aws-owned-cmk).
**To create the AmazonMWAAFullConsoleAccess policy**
1. Download the [AmazonMWAAFullConsoleAccess access policy](./samples/AmazonMWAAFullConsoleAccess.zip).
1. Open the [Policies page](https://console.amazonaws.cn/iam/home#/policies) on the IAM console.
1. Choose **Create policy**.
1. Choose the **JSON** tab.
1. Paste the JSON policy for `AmazonMWAAFullConsoleAccess`.
1. Substitute the following values:
1. *123456789012* – Your Amazon Web Services account ID (such as `0123456789`)
1. *\$1your-kms-id\$1* – The unique identifer for a customer managed key, applicable only if you use a customer managed key for encryption at-rest.
1. Choose the **Review policy**.
1. Type `AmazonMWAAFullConsoleAccess` in **Name**.
1. Choose **Create policy**.
**To create the AmazonMWAAWebServerAccess policy**
1. Download the [AmazonMWAAWebServerAccess access policy](./samples/AmazonMWAAWebServerAccess.zip).
1. Open the [Policies page](https://console.amazonaws.cn/iam/home#/policies) on the IAM console.
1. Choose **Create policy**.
1. Choose the **JSON** tab.
1. Paste the JSON policy for `AmazonMWAAWebServerAccess`.
1. Substitute the following values:
1. *us-east-1* – the region of your Amazon MWAA environment (such as `us-east-1`)
1. *123456789012* – your Amazon Web Services account ID (such as `0123456789`)
1. *\$1your-environment-name\$1* – your Amazon MWAA environment name (such as `MyAirflowEnvironment`)
1. *\$1airflow-role\$1* – the `Admin` Apache Airflow [Default Role](https://airflow.apache.org/docs/apache-airflow/1.10.6/security.html?highlight=ldap#default-roles)
1. Choose **Review policy**.
1. Type `AmazonMWAAWebServerAccess` in **Name**.
1. Choose **Create policy**.
**To create the AmazonMWAAAirflowCliAccess policy**
1. Download the [AmazonMWAAAirflowCliAccess access policy](./samples/AmazonMWAAAirflowCliAccess.zip).
1. Open the [Policies page](https://console.amazonaws.cn/iam/home#/policies) on the IAM console.
1. Choose **Create policy**.
1. Choose the **JSON** tab.
1. Paste the JSON policy for `AmazonMWAAAirflowCliAccess`.
1. Choose the **Review policy**.
1. Type `AmazonMWAAAirflowCliAccess` in **Name**.
1. Choose **Create policy**.
**To create the group**
1. Open the [Groups page](https://console.amazonaws.cn/iam/home#/groups) on the IAM console.
1. Enter a name of `AirflowDevelopmentGroup`.
1. Choose **Next Step**.
1. Type `AmazonMWAA` to filter results in **Filter**.
1. Select the three policies you created.
1. Choose **Next Step**.
1. Choose **Create Group**.
**To associate to a user**
1. Open the [Users page](https://console.amazonaws.cn/iam/home#/users) on the IAM console.
1. Choose a user.
1. Choose **Groups**.
1. Choose **Add user to groups**.
1. Select the **AirflowDevelopmentGroup**.
1. Choose **Add to Groups**.
## What's next?
+ Learn how to generate a token to access the Apache Airflow UI in [Accessing Apache Airflow](access-airflow-ui.md).
+ Learn more about creating IAM policies in [Creating IAM policies](https://docs.amazonaws.cn//IAM/latest/UserGuide/access_policies_create.html).