0

By using Idealo MWAA Module, I've created an MWAA environment on AWS.

I have attached the policy to allow my AWS User to create the token

data "aws_iam_policy_document" "mwaa_admin_token_creation" {
  statement {
    effect    = "Allow"
    actions   = ["airflow:PublishMetrics"]
    resources = [module.idealo_mwaa.mwaa_arn]
  }
  statement {
    effect    = "Allow"
    actions   = ["airflow:CreateWebLoginToken"]
    resources = ["${module.idealo_mwaa.mwaa_execution_role_arn}/Admin"]
  }
}

resource "aws_iam_policy" "mwaa_admin_policy" {
  name        = "user-create-token-mwaa"
  description = "Airflow Token Creation policy"
  policy      = data.aws_iam_policy_document.mwaa_admin_token_creation.json
}

resource "aws_iam_user_policy_attachment" "airflow-general-attach" {
  user       = var.my_username_name
  policy_arn = aws_iam_policy.mwaa_admin_policy.arn
}

When checking the role on AWS as JSON:

{
    "Statement": [
        {
            "Action": "airflow:PublishMetrics",
            "Effect": "Allow",
            "Resource": "arn:aws:airflow:us-east-1:<account-id>:environment/mwaa-name",
            "Sid": ""
        },
        {
            "Action": "airflow:CreateWebLoginToken",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::<account-id>:role/mwaa-name-execution-role/Admin",
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}

While trying to create the token with boto3 as recommended here:

import boto3

session = boto3.Session(aws_access_key_id='XX',
                        aws_secret_access_key='YY',
                        region_name='us-east-1')

mwaa = boto3.client('mwaa', verify=False)

response = mwaa.create_web_login_token(Name="mwaa-name")
print(response)
webServerHostName = response["WebServerHostname"]
webToken = response["WebToken"]
airflowUIUrl = 'https://{0}/aws_mwaa/aws-console-sso?login=true#{1}'.format(webServerHostName, webToken)
print("Here is your Airflow UI URL: ")
print(airflowUIUrl)

I'm receiving the following message

**botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the CreateWebLoginToken operation: Not Airflow role granted in IAM**

While using AWS cli, I'm receiving the following message:

aws mwaa create-web-login-token --name mwaa-name --region us-east-1
An error occurred (AccessDeniedException) when calling the CreateWebLoginToken operation: Not Airflow role granted in IAM

The only reference to this I've found is this post, but is not abplicable, since is public already.

What I'm doing wrong?

HouKaide
  • 127
  • 1
  • 7
  • So there is an IAM role which can be used for creating the token and in your Python code you are using an AWS access key ID and secret access key. Are you sure that the user for which you are setting the keys is allowed to perform the action? – Marko E May 19 '23 at 09:48
  • @MarkoE thank you for your answer. In the `aws_iam_user_policy_attachment` `airflow-general-attach` on Terraform, I'm attaching the rights to perform the action of Creating the Token. – HouKaide May 19 '23 at 11:17
  • But you are not using the role in the Python code, are you? – Marko E May 19 '23 at 11:26
  • 1
    You might want to take a look at this: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts/client/assume_role.html. – Marko E May 19 '23 at 11:38

1 Answers1

0

Regarding the IAM role policy which is trying to create web login token:

{
      "Action": "airflow:CreateWebLoginToken",
      "Effect": "Allow",
      "Resource": "arn:aws:iam::<account-id>:role/mwaa-name-execution-role/Admin",
      "Sid": ""
}

The Resource is incorrect for action airflow:CreateWebLoginToken. Instead, it should be in the format arn:aws:airflow:{your-region}:YOUR_ACCOUNT_ID:role/{your-environment-name}/{airflow-role}. If you want to use Airflow role Admin, replace {airflow-role} with Admin. Ref doc

Sajjan Bhattarai
  • 66
  • 2