How Amazon MWAA works with IAM
Amazon MWAA uses IAM identity-based policies to grant permissions to Amazon MWAA actions and resources. For recommended examples of custom IAM policies you can use to control access to your Amazon MWAA resources, see Accessing an Amazon MWAA environment.
To get a high-level view of how Amazon MWAA and other Amazon services work with IAM, see Amazon Services That Work with IAM in the IAM User Guide.
Amazon MWAA identity-based policies
With IAM identity-based policies, you can specify allowed or denied actions and resources, as well as the conditions under which actions are allowed or denied. Amazon MWAA supports specific actions, resources, and condition keys.
The following steps show how you can create a new JSON policy using the IAM console. This policy provides read-only access to your Amazon MWAA resources.
To use the JSON policy editor to create a policy
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane on the left, choose Policies.
If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.
-
At the top of the page, choose Create policy.
-
In the Policy editor section, choose the JSON option.
-
Enter the following JSON policy document:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "airflow:ListEnvironments", "airflow:GetEnvironment", "airflow:ListTagsForResource" ], "Resource": "*" } ] }
-
Choose Next.
Note
You can switch between the Visual and JSON editor options anytime. However, if you make changes or choose Next in the Visual editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring in the IAM User Guide.
-
On the Review and create page, enter a Policy name and a Description (optional) for the policy that you are creating. Review Permissions defined in this policy to see the permissions that are granted by your policy.
-
Choose Create policy to save your new policy.
To learn about all of the elements that you use in a JSON policy, see IAM JSON Policy Elements Reference in the IAM User Guide.
Actions
Administrators can use Amazon JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.
The Action
element of a JSON policy describes the
actions that you can use to allow or deny access in a policy. Policy
actions usually have the same name as the associated Amazon API operation. There are some exceptions, such as permission-only
actions that don't have a matching API operation. There are also some operations that require multiple actions in a policy.
These additional actions are called dependent actions.
Include actions in a policy to grant permissions to perform the associated operation.
Policy statements must include either an Action
element or a
NotAction
element. The Action
element lists the actions
allowed by the policy. The NotAction
element lists the actions that are
not allowed.
The actions defined for Amazon MWAA reflect tasks that you can perform using Amazon MWAA.
Policy actions in Detective have the following prefix:
airflow:
.
You can also use wildcards (*) to specify multiple actions. Instead of listing these actions
separately, you can grant access to all actions that end with the word, for example, environment
.
To see a list of Amazon MWAA actions, see Actions Defined by Amazon Managed Workflows for Apache Airflow in the IAM User Guide.