Accessing an Amazon MWAA environment
To use Amazon Managed Workflows for Apache Airflow (MWAA), you must use an account, user, or role with the necessary permissions. This page describes the access policies you can attach to your Apache Airflow development team and Apache Airflow users for your Amazon Managed Workflows for Apache Airflow (MWAA) environment.
Sections
- How it works
- Full console access policy: AmazonMWAAFullConsoleAccess
- Full API and console access policy: AmazonMWAAFullApiAccess
- Read-only console access policy: AmazonMWAAReadOnlyAccess
- Apache Airflow UI access policy: AmazonMWAAWebServerAccess
- Apache Airflow CLI policy: AmazonMWAAAirflowCliAccess
- Creating a JSON policy
- Example use case to attach policies to a developer group
- What's next?
How it works
The resources and services used in an Amazon MWAA environment are not accessible to all AWS Identity and Access Management (IAM) entities, such as users, roles, or groups. You must create a policy that grants your Apache Airflow users permission to access these resources. For example, you need to grant access to your Apache Airflow development team.
Amazon MWAA uses these policies to validate whether a user has the permissions needed to perform an action on the AWS console or via the APIs used by an environment.
You can use the JSON policies in this topic to create a policy for your Apache Airflow users in IAM, and then attach the policy to a user, group, or role in IAM. Here are the policies available:
-
AmazonMWAAFullConsoleAccess – A user may need access to this permissions policy if they need to configure an environment on the Amazon MWAA console.
-
AmazonMWAAFullApiAccess – A user may need access to this permissions policy if they need access to all Amazon MWAA APIs used to manage an environment.
-
AmazonMWAAReadOnlyAccess – A user may need access to this permissions policy if they need to view the resources used by an environment on the Amazon MWAA console.
-
AmazonMWAAWebServerAccess – A user may need access to this permissions policy if they need to access the Apache Airflow UI.
-
AmazonMWAAAirflowCliAccess – A user may need access to this permissions policy to run Apache Airflow CLI commands.
The sample policies on this page contain placeholders. For example, replace
with your account ID as YOUR_ACCOUNT_ID
0123456789
.
Full console access policy: AmazonMWAAFullConsoleAccess
A user may need access to the AmazonMWAAFullConsoleAccess
permissions policy if they need to configure an environment on the Amazon MWAA console.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"airflow:*", "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:CreatePolicy" ], "Resource":"arn:aws:iam::
YOUR_ACCOUNT_ID
:policy/service-role/MWAA-Execution-Policy*" }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA" }, { "Effect":"Allow", "Action":[ "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "s3:CreateBucket", "s3:PutObject", "s3:GetEncryptionConfiguration" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeRouteTables" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup" ], "Resource":"arn:aws:ec2:*:*:security-group/airflow-security-group-*" }, { "Effect":"Allow", "Action":[ "kms:ListAliases" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "kms:DescribeKey", "kms:ListGrants", "kms:CreateGrant", "kms:RevokeGrant", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*", "kms:ReEncrypt*" ], "Resource":"arn:aws:kms:*:YOUR_ACCOUNT_ID
:key/YOUR_KMS_ID
" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":"*", "Condition":{ "StringLike":{ "iam:PassedToService":"airflow.amazonaws.com" } } }, { "Effect":"Allow", "Action":[ "iam:AttachRolePolicy", "iam:CreateRole" ], "Resource":"arn:aws:iam::YOUR_ACCOUNT_ID
:role/service-role/AmazonMWAA*" }, { "Effect":"Allow", "Action":[ "s3:GetEncryptionConfiguration" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":"ec2:CreateVpcEndpoint", "Resource":[ "arn:aws:ec2:*:*:vpc-endpoint/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateNetworkInterface" ], "Resource":[ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*" ] } ] }
Full API and console access policy: AmazonMWAAFullApiAccess
A user may need access to the AmazonMWAAFullApiAccess
permissions policy if they need access to all Amazon MWAA APIs used to manage an environment. It does not grant permissions to access the Apache Airflow UI.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"airflow:*", "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeRouteTables" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "kms:DescribeKey", "kms:ListGrants", "kms:CreateGrant", "kms:RevokeGrant", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*", "kms:ReEncrypt*" ], "Resource":"arn:aws:kms:*:
:key/
YOUR_ACCOUNT_ID
" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":"*", "Condition":{ "StringLike":{ "iam:PassedToService":"airflow.amazonaws.com" } } }, { "Effect":"Allow", "Action":[ "s3:GetEncryptionConfiguration" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":"ec2:CreateVpcEndpoint", "Resource":[ "arn:aws:ec2:*:*:vpc-endpoint/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateNetworkInterface" ], "Resource":[ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*" ] } ] }
YOUR_KMS_ID
Read-only console access policy: AmazonMWAAReadOnlyAccess
A user may need access to the AmazonMWAAReadOnlyAccess
permissions policy if they need to view the resources used by an environment on the Amazon MWAA console environment details page. It doesn't allow a user to create new environments, edit existing environments, or allow a user to view the Apache Airflow UI.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "airflow:ListEnvironments", "airflow:GetEnvironment", "airflow:ListTagsForResource" ], "Resource": "*" } ] }
Apache Airflow UI access policy: AmazonMWAAWebServerAccess
A user may need access to the AmazonMWAAWebServerAccess
permissions policy if they need to access the Apache Airflow UI. It does not allow the user to view environments on the Amazon MWAA console or use the Amazon MWAA APIs to perform any actions. Specify the Admin
, Op
, User
, Viewer
or the Public
role in {airflow-role}
to customize the level of access for the user of the web token. For more information, see Default Roles
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "airflow:CreateWebLoginToken", "Resource": [ "arn:aws:airflow:
{your-region}
::role/
YOUR_ACCOUNT_ID
{your-environment-name}
/{airflow-role}
" ] } ] }
Amazon MWAA provides IAM integration with the five
default Apache Airflow role-based access control (RBAC) roles
Apache Airflow CLI policy: AmazonMWAAAirflowCliAccess
A user may need access to the AmazonMWAAAirflowCliAccess
permissions policy if they need to run Apache Airflow CLI commands (such as trigger_dag
). It does not allow the user to view environments on the Amazon MWAA console or use the Amazon MWAA APIs to perform any actions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "airflow:CreateCliToken" ], "Resource": "*" } ] }
Creating a JSON policy
You can create the JSON policy, and attach the policy to your user, role, or group on the IAM console. The following steps describe how to create a JSON policy in IAM.
To create the JSON policy
-
Open the Policies page
on the IAM console. -
Choose Create policy.
-
Choose the JSON tab.
-
Add your JSON policy.
-
Choose Review policy.
-
Enter a value in the text field for Name and Description (optional).
For example, you could name the policy
AmazonMWAAReadOnlyAccess
. -
Choose Create policy.
Example use case to attach policies to a developer group
Let's say you're using a group in IAM named AirflowDevelopmentGroup
to apply permissions to all of the developers on your Apache Airflow development team. These users need access to the AmazonMWAAFullConsoleAccess
, AmazonMWAAAirflowCliAccess
, and AmazonMWAAWebServerAccess
permission policies. This section describes how to create a group in IAM, create and attach these policies, and associate the group to an IAM user. The steps assume you're using an AWS owned key.
To create the AmazonMWAAFullConsoleAccess policy
-
Download the AmazonMWAAFullConsoleAccess access policy.
-
Open the Policies page
on the IAM console. -
Choose Create policy.
-
Choose the JSON tab.
-
Paste the JSON policy for
AmazonMWAAFullConsoleAccess
. -
Substitute the following values:
-
{your-account-id}
– your AWS account ID (such as0123456789
) -
{your-kms-id}
– theaws/airflow
identifer for an AWS owned key
-
-
Choose the Review policy.
-
Type
AmazonMWAAFullConsoleAccess
in Name. -
Choose Create policy.
To create the AmazonMWAAWebServerAccess policy
-
Download the AmazonMWAAWebServerAccess access policy.
-
Open the Policies page
on the IAM console. -
Choose Create policy.
-
Choose the JSON tab.
-
Paste the JSON policy for
AmazonMWAAWebServerAccess
. -
Substitute the following values:
-
{your-region}
– the region of your Amazon MWAA environment (such asus-east-1
) -
{your-account-id}
– your AWS account ID (such as0123456789
) -
{your-environment-name}
– your Amazon MWAA environment name (such asMyAirflowEnvironment
) -
{airflow-role}
– theAdmin
Apache Airflow Default Role
-
-
Choose Review policy.
-
Type
AmazonMWAAWebServerAccess
in Name. -
Choose Create policy.
To create the AmazonMWAAAirflowCliAccess policy
-
Download the AmazonMWAAAirflowCliAccess access policy.
-
Open the Policies page
on the IAM console. -
Choose Create policy.
-
Choose the JSON tab.
-
Paste the JSON policy for
AmazonMWAAAirflowCliAccess
. -
Choose the Review policy.
-
Type
AmazonMWAAAirflowCliAccess
in Name. -
Choose Create policy.
To create the group
-
Open the Groups page
on the IAM console. -
Type a name of
AirflowDevelopmentGroup
. -
Choose Next Step.
-
Type
AmazonMWAA
to filter results in Filter. -
Select the three policies you created.
-
Choose Next Step.
-
Choose Create Group.
To associate to a user
-
Open the Users page
on the IAM console. -
Choose a user.
-
Choose Groups.
-
Choose Add user to groups.
-
Select the AirflowDevelopmentGroup.
-
Choose Add to Groups.
What's next?
-
Learn how to generate a token to access the Apache Airflow UI in Accessing the Apache Airflow UI.
-
Learn more about creating IAM policies in Creating IAM policies.