To learn more, see Managing connections to Apache Airflow. You can also create an Apache Airflow connection and specify your execution role and its ARN in your Apache Airflow connection object. "Action": "s3:GetAccountPublicAccessBlock",įor more information about restricting access to your Amazon S3 buckets, see Blocking public access to your Amazon S3 storage in the Amazon Simple Storage Service User Guide. The following image shows the default option to create an execution role for an environment. You can choose the default options on the Amazon MWAA console when you create an environment. Create a new roleīy default, Amazon MWAA creates an AWS owned key for data encryption and an execution role on your behalf. If a new execution role is not already associated with your environment, use the steps on this page to create a new execution role policy, and associate the role to your environment. You can change the execution role for your environment at any time. This also means if you remove any required permissions from an execution role, your DAGs may fail. You can use the steps on this page to associate a new JSON policy document for an AWS service to your execution role on the IAM console.Īssuming the execution role is already associated to your environment, Amazon MWAA can start using the added permission policies immediately. You can use the sample JSON policy documents on this page to either add to or replace the JSON policy of your execution role on the IAM console.īy creating a JSON policy for an AWS service and attaching it to your execution role. You can add permissions to an execution role in two ways:īy modifying the JSON policy for your execution role inline. For example, if your DAG requires access to AWS Glue, Amazon MWAA can't automatically detect these permissions are required by your environment, or add the permissions to your execution role. You must update your execution role with additional permission policies needed by your environment. How to add permission to use other AWS servicesĪmazon MWAA can't add or edit permission policies to an existing execution role after an environment is created. Amazon MWAA adds the permissions policies for all CloudWatch Logs groups automatically by using the regex pattern in the execution role as "arn:aws:logs:your-region:your-account-id:log-group:airflow-your-environment-name-*". For example, we recommend choosing the option on the Amazon MWAA console to create an execution role when you create an environment. In some cases, Amazon MWAA attaches the maximum permissions. When you choose the Create new role option on the console, Amazon MWAA attaches the minimal permissions needed by an environment to your execution role.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |