Tutorial: Restricting an Amazon MWAA user's access to a subset of DAGs
Amazon MWAA manages access to your environment by mapping your IAM principals to one or more of Apache Airflow's
default roles
Note
The steps in this tutorial can be completed using federated access, as long as the IAM roles can be assumed.
Topics
Prerequisites
To complete the steps in this tutorial, you'll need the following:
-
An IAM principal,
Admin
with AdministratorAccesspermissions, and an IAM user, MWAAUser
, as the principal for which you can limit DAG access. For more information about admin roles, see Administrator job function in the IAM User GuideNote
Do not attach permission policies directly to your IAM users. We recommend setting up IAM roles that users can assume to gain temporary access to your Amazon MWAA resources.
-
AWS Command Line Interface version 2 installed.
Step one: Provide Amazon MWAA web server access to your IAM principal with the default Public
Apache Airflow role.
To grant permission using the AWS Management Console
-
Sign in to your AWS account with an
Admin
role and open the IAM console. -
In the left navigation pane, choose Users, then choose your Amazon MWAA IAM user from the users table.
-
On the user details page, under Summary, choose the Permissions tab, then choose Permissions policies to expand the card and choose Add permissions.
-
In the Grant permissions section, choose Attach existing policies directly, then choose Create policy to create and attach your own custom permissions policy.
-
On the Create policy page, choose JSON, then copy and paste the following JSON permissions policy in the policy editor. Tha policy grants web server access to the user with the default
Public
Apache Airflow role.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "airflow:CreateWebLoginToken", "Resource": [ "arn:aws:airflow:
YOUR_REGION
:YOUR_ACCOUNT_ID
:role/YOUR_ENVIRONMENT_NAME
/Public" ] } ] }
Step two: Create a new Apache Airflow custom role
To create a new role using the Apache Airflow UI
-
Using your administrator IAM role, open the Amazon MWAA console
and launch your environment's Apache Airflow UI. -
From the navigation pane at the top, hover on Security to open the dropdown list, then choose List Roles to view the default Apache Airflow roles.
-
From the roles list, select User, then at the top of the page choose Actions to open the dropdown. Choose Copy Role, and confirm Ok
Note
Copy the Ops or Viewer roles to grant more or less access, respectively.
-
Locate the new role you created in the table and choose Edit record.
-
On the Edit Role page, do the following:
-
For Name, type a new name for the role in the text field. For example,
Restricted
. -
For the list of Permissions, remove
can read on DAGs
andcan edit on DAGs
, then add read and write permissions for the set of DAGs you want to provide access to. For example, for a DAG,example_dag.py
, add
andcan read on DAG:
example_dag
.can edit on DAG:
example_dag
Choose Save. You should now have a new role that limits access to a subset of DAGs available in your Amazon MWAA environment. You can now assign this role to any existing Apache Airflow users.
-
Step three: Assign the role you created to your Amazon MWAA user
To assign the new role
-
Using access credentials for
MWAAUser
, run the following CLI command to retrieve your environment's web server URL.$
aws mwaa get-environment --name
YOUR_ENVIRONMENT_NAME
| jq '.Environment.WebserverUrl'If successful, you'll see the following output:
"ab1b2345-678a-90a1-a2aa-34a567a8a901.c13.us-west-2.airflow.amazonaws.com"
-
With
MWAAUser
signed in to the AWS Management Console, open a new browser window and access the following URl. ReplaceWebserver-URL
with your information.https://
<Webserver-URL>
/homeIf successful, you'll see a
Forbidden
error page becauseMWAAUser
has not been granted permission to access the Apache Airflow UI yet. -
With
Admin
signed in to the AWS Management Console, open the Amazon MWAA console again and launch your environment's Apache Airflow UI. -
From the UI dashboard, expand the Security dropdown, and this time choose List Users.
-
In the users table, find the new Apache Airflow user and choose Edit record. The user's first name will match your IAM user name in the following pattern:
user/
.mwaa-user
-
On the Edit User page, in the Role section, add the new custom role you created, then choose Save.
Note
The Last Name field is required, but a space satisfies the requirement.
The IAM
Public
principal grants theMWAAUser
permission to access the Apache Airflow UI, while the new role provides the additional permissions needed to see their DAGs.
Important
Any of the 5 default roles (such as Admin
) not authorized by IAM which are added using the Apache Airflow UI will be removed on next user login.
Next steps
-
To learn more about managing access to your Amazon MWAA environment, and to see sample JSON IAM policies you can use for your environment users, see Accessing an Amazon MWAA environment
Related resources
-
Access Control
(Apache Airflow Documentation) – Learn more about the default Apache Airflow roles on the Apache Airflow documentation website.