Enabling federation with AWS Single Sign-On and Amazon MWAA

  1. Create the Amazon MWAA Identity Provider (IAM)
  2. Create a Policy to the Amazon MWAA user access role (IAM)
  3. Create the Amazon MWAA user access role (IAM)
  4. Create the AWS SSO Attribute Mappings (AWS SSO)
  5. Assign User(s) and Test

1. Create the AWS SSO Application for Amazon MWAA (AWS SSO)

First create the AWS SSO application for Amazon MWAA and download the metadata.

2. Create the Amazon MWAA Identity Provider (IAM)

Next, in AWS Identity and Access Management (IAM), create the IAM IdP.

3. Create a Policy to the Amazon MWAA user access role (IAM)

Use the following steps to set up MWAA_ExampleEnvironment_User_Policy policy. This policy grants User privileges in Amazon MWAA to the federated user:

{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Action": "airflow:CreateWebLoginToken",      "Resource": "arn:aws:airflow:< REGION-CODE>:< ACCOUNT-ID-WITHOUT-HYPHENS>:role/<ENVIRONMENT-NAME>/User"    }  ]}

4. Create the Amazon MWAA user access role (IAM)

Next, create a SAML 2.0 federation IAM role. This establishes the trust relationship between IAM and the Identity Provider (IdP), AWS SSO.

5. Create the AWS SSO Attribute Mappings (AWS SSO)

With the Identity Provider, IAM Role, and permissions in place, let’s jump back to the AWS SSO console and configure the Attribute Mappings.

6. Assign User(s) and Test

To test, assign a user from your directory to the application.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store