MWAA Webserver UI Forbidden

  1. I have created Private MWAA environment
  2. Create EC2 bastion for port forwaring
  3. Running ssh tunnel from my localhost and trying to open UI
  4. I can see Airflow UI requesting SSO login.
  5. I generated token with "aws mwaa create-web-login-token"

https://localhost:8888/aws_mwaa/aws-console-sso?login=true#eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJ3ZWIiLCJyb2xlcyI6IkFkbWluIiwiZXhwIjoxNzA0ODc5ODk5LCJ1c2VyIjoiYXNzdW1lZC1yb2xlL0FXU1Jlc2VydmVkU1NPX0FXU0FkbWluaXN0cmF0b3JBY2NlS0I1eXU1QjdMcjlvRG91QSJ9.H2uBzOmG8E7hIYaHEIbwoXbCPFeXjHf1y5tvUPULdlW3pJHoqbVNUGzM-Az95BW1RI5NrChd2aFqgop7IiceqQ2DbWD4zwEueizje0O_caNDzqWds6xaCZx3WcvVPmtDsBqqSuofSFolna50iFFIvMHkA9JkpWpGnaaP_jMsVx_ul1uxmJzQbCBeJXzkXmR6LnG7PcGiPdaTmXddaGgc-GMTm6l4MgotbDIaBnP-cyzvdrz5szqb32SSFy5fhg4w-A5z7AzwTOF2eTYgqYQ6Myl5rl4ryNteoID633zUstrPWtFC1-lHB3xJZhkfhIpTew8eEexGqinh6DK_xOKpsA 6. Trying to UI with token and getting Forbidden error.

Enter image description here

webserver logs:

Maybe somebody can help me on what I am doing wrong?

**FOLLOWUP: I attached AdministratorAccess to role that was created by MWAA automatically **

how can I figure out which role was missing?

1 Answer
Accepted Answer

Hello, I'm assuming that you're following the steps outlined in this documentation:

It is important to note that the generated web-login-token is only valid for 60 seconds. Thus, it is important to access the Airflow URL with the token before it expires. If you're still facing the error even after ensuring timely login, the issue could be related to the IAM permissions. For the IAM execution role created during MWAA environment creation, it should already have the required permissions. Whereas, for login into Airflow UI, your own IAM role/user needs to have the airflow:CreateWebLoginToken permission as mentioned here:

I hope this helps.

answered 4 months ago

