Uploaded image for project: 'Apache Airflow'
  1. Apache Airflow
  2. AIRFLOW-6975

Base AWSHook AssumeRoleWithSAML

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Done
    • Affects Version/s: 1.10.9
    • Fix Version/s: 2.0.0
    • Component/s: aws
    • Labels:
      None

      Description

      Base AWS Hook currently does AssumeRole but we require it to additionally be able to do AssumeRoleWithSAML.

      Current

      https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerole

      The AssumeRole API operation is useful for allowing existing IAM users to access AWS resources that they don't already have access to.

      (This requires an AWS IAM user)

      Proposed addition

      https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithsaml

      The AssumeRoleWithSAML API operation returns a set of temporary security credentials for federated users who are authenticated by your organization's existing identity system.

      (This allows federated login using another IDP rather than requiring an AWS IAM user).

       

      Use case

      We need to be able to authenticate an AD user against our IDP (Windows Active Directory).

      We can obtain a SAML assertion from our IDP, and then provide it to AWS STS to exchange it for AWS temporary credentials, thus authorising us to use AWS services. 

      The AWS AssumeRoleWithSAML API is intended for this use case, and the Base AWS Hook should be updated to allow for this method of authentication.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bjorn.olsen1@gmail.com Bjorn Olsen
                Reporter:
                bjorn.olsen1@gmail.com Bjorn Olsen
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: