From commits-return-16897-archive-asf-public=cust-asf.ponee.io@airflow.incubator.apache.org Sat Jul 28 17:33:04 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 4F303180600 for ; Sat, 28 Jul 2018 17:33:04 +0200 (CEST) Received: (qmail 14751 invoked by uid 500); 28 Jul 2018 15:33:03 -0000 Mailing-List: contact commits-help@airflow.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@airflow.incubator.apache.org Delivered-To: mailing list commits@airflow.incubator.apache.org Received: (qmail 14742 invoked by uid 99); 28 Jul 2018 15:33:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 28 Jul 2018 15:33:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id C9F4818047E for ; Sat, 28 Jul 2018 15:33:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.501 X-Spam-Level: X-Spam-Status: No, score=-109.501 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id XNX43PGNO6I1 for ; Sat, 28 Jul 2018 15:33:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id B45E45F366 for ; Sat, 28 Jul 2018 15:33:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id CA838E25D4 for ; Sat, 28 Jul 2018 15:33:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 5C95127761 for ; Sat, 28 Jul 2018 15:33:00 +0000 (UTC) Date: Sat, 28 Jul 2018 15:33:00 +0000 (UTC) From: "ASF subversion and git services (JIRA)" To: commits@airflow.incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (AIRFLOW-2807) Add support for External ID when using STS Assume Role MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/AIRFLOW-2807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16560780#comment-16560780 ] ASF subversion and git services commented on AIRFLOW-2807: ---------------------------------------------------------- Commit 449a7fd1b72639f1eb2bbeb033e1642e8eaac96c in incubator-airflow's branch refs/heads/master from [~vvondra] [ https://git-wip-us.apache.org/repos/asf?p=incubator-airflow.git;h=449a7fd ] [AIRFLOW-2807] Support STS Assume Role External ID Currently the role assumption method works only if the granting account does not specify an External ID. The external ID is used to solved the confused deputy problem. When using the AWS hook to export data to multiple customers, it's good security practice to use the external ID. There is no backwards compatibility break, the ID will be `None` in existing cases. Moto doesn't provide any convenient way to verify the value was passed in the credential response in tests, so existing test cases are kept. Documentation: https://docs.aws.amazon.com/IAM/lat est/UserGuide/id_roles_create_for- user_externalid.html Closes #3647 from vvondra/support_sts_external_id > Add support for External ID when using STS Assume Role > ------------------------------------------------------ > > Key: AIRFLOW-2807 > URL: https://issues.apache.org/jira/browse/AIRFLOW-2807 > Project: Apache Airflow > Issue Type: Improvement > Components: aws, boto3, hooks > Affects Versions: 1.10.1 > Reporter: Vojtech Vondra > Priority: Minor > Fix For: 2.0.0 > > > Currently the role assumption method works only if the granting account does not specify an External ID. The external ID is used to solved the confused deputy problem. When using the AWS hook to export data to multiple customers, it's good security practice to use the external ID. > Documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html -- This message was sent by Atlassian JIRA (v7.6.3#76005)