Open in app

Sign in

Write

Sign in

Test

Hari Kiran Vusirikala
6 min readJun 7, 2022
  1. Create the AWS SSO Application for Amazon MWAA (AWS SSO)
  2. Create the Amazon MWAA Identity Provider (IAM)
  3. Create a Policy to the Amazon MWAA user access role (IAM)
  4. Create the Amazon MWAA user access role (IAM)
  5. Create the AWS SSO Attribute Mappings (AWS SSO)
  6. Assign User(s) and Test

1. Create the AWS SSO Application for Amazon MWAA (AWS SSO)

First create the AWS SSO application for Amazon MWAA and download the metadata.

Step 1: From the AWS SSO Dashboard, choose Applications from the left pane.

Step 2: Choose Add a new application.

Step 3: On the Add New Application page, choose Add a custom SAML 2.0 application.

Step 4: Enter a display name. In this example, the display name is MWAA ExampleEnvironment. This name appears in the user portal.

Step 5: Provide an optional description.

Step 6: In the AWS SSO metadata section, choose Download to the right of the AWS SSO SAML metadata file section. This is the metadata file that is used to create the IAM Identity Provider later on in this setup.

Step 7: In the Application Properties section, keep Application start URL as blank, and enter the Amazon MWAA Relay State URL for ExampleEnvironment.

For example:
https://123456a0-0101-2020-9e11-1b159eec9000.c2.us-east-1.airflow.amazonaws.com

Click here for instructions to configure the Relay State URL.

Step 8: In the Application metadata section, choose If you don’t have a metadata file, you can manually type your metadata values. Enter the following values:

Application ACS URL: https://signin.aws.amazon.com/saml
Application SAML audience: urn:amazon:webservices

Note
The Application Assertion Consumer Service (ACS) URL is used to identify where the service provider accepts SAML assertions.

Application SAML audience value should be unique for application adding a number at end is good practice (urn:amazon:webservices2).

Step 9: Save the Application.

At this point, the screen should look similar to the following screenshot. Also, the following message appears:

Configuration for MWAA ExampleEnvironment has been saved. You must configure attribute mappings for SSO to work.

2. Create the Amazon MWAA Identity Provider (IAM)

Next, in AWS Identity and Access Management (IAM), create the IAM IdP.

Step 10: Sign in to the IAM console.

Step 11: Choose Identity providers in the left pane.

Step 12: Choose Add Provider.

Step 13: For the Provider Type, choose SAML.

Step 14: Name the provider. In this document, the provider is named AWS_SSO_ExampleEnvironment.

Step 15: For Metadata Document, choose Choose File, and upload the Metadata document that was saved in the section Create the AWS SSO Application for Amazon MWAA, step 6.

Step 16: Choose Add Provider.

A message stating that you have finished creating a SAML provider should display.

Step 17: Click on the Identity Provider that was just created AWS_SSO_ExampleEnvironment and note the Provider ARN.

For example, in this document the ARN is:
arn:aws:iam::012345678910:saml-provider/AWS_SSO_ExampleEnvironment

You can also complete this configuration using the AWS Command Line Interface (AWS CLI).
$ aws iam create-saml-provider — saml-metadata-document file://SAMLMetaData.xml — name AWS_SSO_ExampleEnvironment

3. Create a Policy to the Amazon MWAA user access role (IAM)

Use the following steps to set up MWAA_ExampleEnvironment_User_Policy policy. This policy grants User privileges in Amazon MWAA to the federated user:

Step 18: On the IAM console, choose Policies.

Step 19: Choose Create Policy.

Step 20: Choose JSON and replace the existing text with the following code:

{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": "airflow:CreateWebLoginToken",      "Resource": "arn:aws:airflow:< REGION-CODE>:< ACCOUNT-ID-WITHOUT-HYPHENS>:role/<ENVIRONMENT-NAME>/User"    }  ]}

Step 21: In the template above, change the REGION-CODE, ACCOUNT-ID-WITHOUT-HYPHENS, and ENVIRONMENT-NAME. The EnvironmentName is case sensitive. Below shows the policy for ExampleEnvironment in US East (N. Virginia).

Step 22: Choose Review policy.

Step 23: Name the policy, in this document I name it MWAA_ExampleEnvironment_User_Policy.

Step 24: Choose Create policy.

4. Create the Amazon MWAA user access role (IAM)

Next, create a SAML 2.0 federation IAM role. This establishes the trust relationship between IAM and the Identity Provider (IdP), AWS SSO.

Step 25: From the IAM console, choose Roles from the left pane.

Step 26: Choose Create Role.

Step 27: Choose the type of trusted entity, and then choose SAML 2.0 federation.

Step 28: Under Choose a SAML 2.0-based provider, choose the Identity Provider created previously in the Create Amazon MWAA Identity Provider section. For this document, using AWS_SSO_ExampleEnvironment.

Step 29: Select Allow programmatic and AWS Management Console access.

Step 30: For Attribute, make sure SAML:aud is selected.

Step 31: Value should show https://signin.aws.amazon.com/saml.

Step 32: Choose Next.

Step 33: On the Attach permissions policies page, choose the MWAA_ExampleEnvironment_User_Policy IAM policy created in Create a Policy to the Amazon MWAA user access role section.

Step 34: Choose Next.

Step 35: Name the role. In this document, the role is named MWAA_ExampleEnvironment_User_Role. A description is optional.

Step 36: Choose Create role.

A message stating that the role MWAA_ExampleEnvironment_User_Role has been created should display.

Step 37: Click on the view role and note the Role ARN.

In this document, the Role ARN is:
arn:aws:iam::012345678910:role/MWAA_ExampleEnvironment_User_Role

5. Create the AWS SSO Attribute Mappings (AWS SSO)

With the Identity Provider, IAM Role, and permissions in place, let’s jump back to the AWS SSO console and configure the Attribute Mappings.

Step 38: In the left pane, choose Applications.

Step 39: Choose the application that was created in Create the AWS SSO Application for Amazon MWAA. In this document the application was named MWAA ExampleEnvironment.

Step 40: Choose the Attribute mappings tab.

Step 41: Add the following attributes

The format used above for Map “https://aws.amazon.com/SAML/Attributes/Role” to this string value or user attribute in AWS SSO is: “Role ARN, Identity Provider ARN”

Use the ARNs that were noted in previous steps to construct this.

Step 42: Choose Save changes.

6. Assign User(s) and Test

To test, assign a user from your directory to the application.

Step 43: From the AWS SSO dashboard, choose Applications in the left hand pane.

Step 44: Click on the application that was created, in this document, the application was named MWAA ExampleEnvironment.

Step 45: Choose the Assigned Users tab, then choose Assign users.

Step 46: Choose whether or not to search Groups or Users. Users is selected by default.

Step 47: Select the users/groups and choose Assign users.

Step 48: On the AWS SSO dashboard, find the User portal URL and login, this requests the MGIC account login.

Step 49: Choose the application.

Lets Connect via LinkedIn — https://linkedin.com/in/hari-kiran-vusirikala/

Hari Kiran Vusirikala - Full Stack Developer, Cloud Architect - Infosys | LinkedIn

Experienced Web Full Stack Development with a demonstrated history of working in the information technology and…

linkedin.com

Aws Sso
Amazon Mwaa

--

--

Hari Kiran Vusirikala

Written by Hari Kiran Vusirikala

5 Followers

Full Stack Developer at Infosys | 4x AWS Certified

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams