airflow-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Denis Boulas <>
Subject AWS external role
Date Fri, 27 Sep 2019 21:51:59 GMT
Hi airflowers!

I'm having bad luck to use external AWS role... I'm running on the instance
with role attached (instance profile), I have configured aws_default
connection id with empty user and password. Everything works within my AWS

Also I have created a separate aws connection aws_external with only Extra
clause filled like this:
{"role_arn": "arn:aws:iam::123456789012:role/prod-airflow",
   "region_name": "us-east-1"}
Trust established between roles (instance profife and external role), I can
successfully obtain STS creds from instance role by using this command:
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/prod-airflow
--role-session-name test
But Airflow fails to use this connection with an error:
Running <TaskInstance: athena_partitions.mypart_app_ids
2019-09-22T01:00:00+00:00 [running]> on host ip-10-239-36-198.ec2.internal
[2019-09-23 22:57:45,030] {} ERROR - An error occurred
(InvalidClientTokenId) when calling the AssumeRole operation: The security
token included in the request is invalid.
Traceback (most recent call last):
Any ideas?

I've updated to Airflow 1.10.5 and still experiencing the issue.

Thanks in advance!

Best regards,
Denis Boulas

View raw message