Configure Amazon Verified Permissions¶
Amazon Verified Permissions is used by the AWS auth manager to make all user authorization decisions. All user permission policies need to be defined in Amazon Verified Permissions by the Airflow environment admin.
Create the policy store¶
The AWS auth manager needs one resource in AWS IAM Identity Center: a policy store. You can create it either through the vended CLI command or manually.
With CLI¶
Note
In order to create all resources needed by the AWS auth manager, you can use the CLI command vended as part of the AWS auth manager. In order to use it, you first need to set the AWS auth manager as auth manager in Airflow config. See how to set AWS auth manager as auth manager.
To create the policy store, please run the following command:
airflow aws-auth-manager init-avp
The CLI command should exit successfully. If the error message below is raised, it means you already have created a policy store for Airflow. In that case you might need to update its schema manually.
Since an existing policy store with description ... has been found in Amazon Verified Permissions,
the CLI made no changes to this policy store for security reasons.
Any modification to this policy store must be done manually.
Manually¶
Please follow the instructions below to create the Amazon Verified Permissions policy store.
Open the Amazon Verified Permissions console.
Choose Create policy store.
In the Configuration method section, choose Empty policy store.
In the Details section, type
Airflow
as description.Choose Create policy store. The policy store is now created.
You now need to define the schema of the policy store you just created.
Update the policy store schema¶
Note
You only need to update the policy store schema in some special cases. If your situation matches one of the case below, you should update it, if not, you can skip this part.
You created the policy store manually and no schema is yet defined in the policy store.
You have an existing policy store used for Airflow and you made some modifications to its schema you want to revert.
You have an existing policy store used for Airflow and you want to update its schema to the latest version. This is only needed if your policy store schema and the latest schema version are different. If so, there should be a warning message when Airflow is starting.
With CLI¶
To update the policy store schema to its latest version, please run the following command:
airflow aws-auth-manager update-avp-schema
Manually¶
Please follow the instructions below to update the Amazon Verified Permissions policy store schema to its latest version.
Open the Amazon Verified Permissions console.
Choose the policy store used by Airflow (by default its description is
Airflow
).In the navigation pane on the left, choose Schema.
Choose Edit schema and then choose JSON mode.
Enter the content of the latest schema version in the Contents field.
Choose Save changes.
Configure Airflow¶
You need to set in Airflow configuration the Amazon Verified Permissions policy store ID file created previously.
[aws_auth_manager]
avp_policy_store_id = <avp_policy_store_id>
or
export AIRFLOW__AWS_AUTH_MANAGER__AVP_POLICY_STORE_ID='<avp_policy_store_id>'
The AWS auth manager is now configured and ready to be used. See Manage Airflow environment with AWS auth manager to learn how to manage users and permissions through AWS IAM Identity Center and Amazon Verified Permissions.