Accessing an Amazon MWAA environment - Amazon Managed Workflows for Apache Airflow

Accessing an Amazon MWAA environment

To use Amazon Managed Workflows for Apache Airflow (MWAA), you must use an account, user, or role with the necessary permissions. This page describes the access policies you can attach to your Apache Airflow development team and Apache Airflow users for your Amazon Managed Workflows for Apache Airflow (MWAA) environment.

How it works

The resources and services used in an Amazon MWAA environment are not accessible to all AWS Identity and Access Management (IAM) entities, such as users, roles, or groups. You must create a policy that grants your Apache Airflow users permission to access these resources. For example, you need to grant access to your Apache Airflow development team.

Amazon MWAA uses these policies to validate whether a user has the permissions needed to perform an action on the AWS console or via the APIs used by an environment.

You can use the JSON policies in this topic to create a policy for your Apache Airflow users in IAM, and then attach the policy to a user, group, or role in IAM. Here are the policies available:

  • AmazonMWAAFullConsoleAccess – A user may need access to this permissions policy if they need to configure an environment on the Amazon MWAA console.

  • AmazonMWAAFullApiAccess – A user may need access to this permissions policy if they need access to all Amazon MWAA APIs used to manage an environment.

  • AmazonMWAAReadOnlyAccess – A user may need access to this permissions policy if they need to view the resources used by an environment on the Amazon MWAA console.

  • AmazonMWAAWebServerAccess – A user may need access to this permissions policy if they need to access the Apache Airflow UI.

  • AmazonMWAAAirflowCliAccess – A user may need access to this permissions policy to run Apache Airflow CLI commands.

The sample policies on this page contain placeholders. For example, replace YOUR_ACCOUNT_ID with your account ID as 0123456789.

Full console access policy: AmazonMWAAFullConsoleAccess

A user may need access to the AmazonMWAAFullConsoleAccess permissions policy if they need to configure an environment on the Amazon MWAA console.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"airflow:*", "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:CreatePolicy" ], "Resource":"arn:aws:iam::YOUR_ACCOUNT_ID:policy/service-role/MWAA-Execution-Policy*" }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA" }, { "Effect":"Allow", "Action":[ "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:ListBucket", "s3:ListBucketVersions" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "s3:CreateBucket", "s3:PutObject", "s3:GetEncryptionConfiguration" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeRouteTables" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup" ], "Resource":"arn:aws:ec2:*:*:security-group/airflow-security-group-*" }, { "Effect":"Allow", "Action":[ "kms:ListAliases" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "kms:DescribeKey", "kms:ListGrants", "kms:CreateGrant", "kms:RevokeGrant", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*", "kms:ReEncrypt*" ], "Resource":"arn:aws:kms:*:YOUR_ACCOUNT_ID:key/YOUR_KMS_ID" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":"*", "Condition":{ "StringLike":{ "iam:PassedToService":"airflow.amazonaws.com" } } }, { "Effect":"Allow", "Action":[ "iam:AttachRolePolicy", "iam:CreateRole" ], "Resource":"arn:aws:iam::YOUR_ACCOUNT_ID:role/service-role/AmazonMWAA*" }, { "Effect":"Allow", "Action":[ "s3:GetEncryptionConfiguration" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":"ec2:CreateVpcEndpoint", "Resource":[ "arn:aws:ec2:*:*:vpc-endpoint/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateNetworkInterface" ], "Resource":[ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*" ] } ] }

Full API and console access policy: AmazonMWAAFullApiAccess

A user may need access to the AmazonMWAAFullApiAccess permissions policy if they need access to all Amazon MWAA APIs used to manage an environment. It does not grant permissions to access the Apache Airflow UI.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"airflow:*", "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws:iam::*:role/aws-service-role/airflow.amazonaws.com/AWSServiceRoleForAmazonMWAA" }, { "Effect":"Allow", "Action":[ "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeRouteTables" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "kms:DescribeKey", "kms:ListGrants", "kms:CreateGrant", "kms:RevokeGrant", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*", "kms:ReEncrypt*" ], "Resource":"arn:aws:kms:*:YOUR_ACCOUNT_ID:key/YOUR_KMS_ID" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":"*", "Condition":{ "StringLike":{ "iam:PassedToService":"airflow.amazonaws.com" } } }, { "Effect":"Allow", "Action":[ "s3:GetEncryptionConfiguration" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":"ec2:CreateVpcEndpoint", "Resource":[ "arn:aws:ec2:*:*:vpc-endpoint/*", "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateNetworkInterface" ], "Resource":[ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*" ] } ] }

Read-only console access policy: AmazonMWAAReadOnlyAccess

A user may need access to the AmazonMWAAReadOnlyAccess permissions policy if they need to view the resources used by an environment on the Amazon MWAA console environment details page. It doesn't allow a user to create new environments, edit existing environments, or allow a user to view the Apache Airflow UI.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "airflow:ListEnvironments", "airflow:GetEnvironment", "airflow:ListTagsForResource" ], "Resource": "*" } ] }

Apache Airflow UI access policy: AmazonMWAAWebServerAccess

A user may need access to the AmazonMWAAWebServerAccess permissions policy if they need to access the Apache Airflow UI. It does not allow the user to view environments on the Amazon MWAA console or use the Amazon MWAA APIs to perform any actions. Specify the Admin, Op, User, Viewer or the Public role in {airflow-role} to customize the level of access for the user of the web token. For more information, see Default Roles in the Apache Airflow reference guide.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "airflow:CreateWebLoginToken", "Resource": [ "arn:aws:airflow:{your-region}:YOUR_ACCOUNT_ID:role/{your-environment-name}/{airflow-role}" ] } ] }
Note

Amazon MWAA does not support custom Apache Airflow role-based access control (RBAC) roles as of yet.

Apache Airflow CLI policy: AmazonMWAAAirflowCliAccess

A user may need access to the AmazonMWAAAirflowCliAccess permissions policy if they need to run Apache Airflow CLI commands (such as trigger_dag). It does not allow the user to view environments on the Amazon MWAA console or use the Amazon MWAA APIs to perform any actions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "airflow:CreateCliToken" ], "Resource": "*" } ] }

Creating a JSON policy

You can create the JSON policy, and attach the policy to your user, role, or group on the IAM console. The following steps describe how to create a JSON policy in IAM.

To create the JSON policy

  1. Open the Policies page on the IAM console.

  2. Choose Create policy.

  3. Choose the JSON tab.

  4. Add your JSON policy.

  5. Choose Review policy.

  6. Enter a value in the text field for Name and Description (optional).

    For example, you could name the policy AmazonMWAAReadOnlyAccess.

  7. Choose Create policy.

Example use case to attach policies to a developer group

Let's say you're using a group in IAM named AirflowDevelopmentGroup to apply permissions to all of the developers on your Apache Airflow development team. These users need access to the AmazonMWAAFullConsoleAccess, AmazonMWAAAirflowCliAccess, and AmazonMWAAWebServerAccess permission policies. This section describes how to create a group in IAM, create and attach these policies, and associate the group to an IAM user. The steps assume you're using an AWS owned key.

To create the AmazonMWAAFullConsoleAccess policy

  1. Download the AmazonMWAAFullConsoleAccess access policy.

  2. Open the Policies page on the IAM console.

  3. Choose Create policy.

  4. Choose the JSON tab.

  5. Paste the JSON policy for AmazonMWAAFullConsoleAccess.

  6. Substitute the following values:

    1. {your-account-id} – your AWS account ID (such as 0123456789)

    2. {your-kms-id} – the aws/airflow identifer for an AWS owned key

  7. Choose the Review policy.

  8. Type AmazonMWAAFullConsoleAccess in Name.

  9. Choose Create policy.

To create the AmazonMWAAWebServerAccess policy

  1. Download the AmazonMWAAWebServerAccess access policy.

  2. Open the Policies page on the IAM console.

  3. Choose Create policy.

  4. Choose the JSON tab.

  5. Paste the JSON policy for AmazonMWAAWebServerAccess.

  6. Substitute the following values:

    1. {your-region} – the region of your Amazon MWAA environment (such as us-east-1)

    2. {your-account-id} – your AWS account ID (such as 0123456789)

    3. {your-environment-name} – your Amazon MWAA environment name (such as MyAirflowEnvironment)

    4. {airflow-role} – the Admin Apache Airflow Default Role

  7. Choose Review policy.

  8. Type AmazonMWAAWebServerAccess in Name.

  9. Choose Create policy.

To create the AmazonMWAAAirflowCliAccess policy

  1. Download the AmazonMWAAAirflowCliAccess access policy.

  2. Open the Policies page on the IAM console.

  3. Choose Create policy.

  4. Choose the JSON tab.

  5. Paste the JSON policy for AmazonMWAAAirflowCliAccess.

  6. Choose the Review policy.

  7. Type AmazonMWAAAirflowCliAccess in Name.

  8. Choose Create policy.

To create the group

  1. Open the Groups page on the IAM console.

  2. Type a name of AirflowDevelopmentGroup.

  3. Choose Next Step.

  4. Type AmazonMWAA to filter results in Filter.

  5. Select the three policies you created.

  6. Choose Next Step.

  7. Choose Create Group.

To associate to a user

  1. Open the Users page on the IAM console.

  2. Choose a user.

  3. Choose Groups.

  4. Choose Add user to groups.

  5. Select the AirflowDevelopmentGroup.

  6. Choose Add to Groups.

What's next?