- Newest
- Most votes
- Most comments
Hi,
Thankyou for using AWS MWAA.
With the details provided, MWAA going over ALB/custom DNS record will be redirected for SSO authentication and then to the VPC endpoint. So, in your case the redirection behaviour is working as expected. Because currently MWAA does not support webserver aliases although custom DNS/ALB is setup successfully.
To give some context here, Web UI in Managed Airflow (MWAA) is designed to be accessed using SSO authentication via IAM user/role. This is because the SSO tends to redirect to the webserver URL defined in the environment rather than the referrer custom domain. So, after login, it goes back to default web-server domain. However, you can bypass the SSO authentication page and access Web UI directly using MWAA web-token feature, please see below
https://docs.aws.amazon.com/mwaa/latest/userguide/call-mwaa-apis-web.html
Basically, the web-token feature allows you to authenticate access externally by using IAM credentials to generate web token(which are valid for 60 seconds) which can be inserted into the URL of your Airflow UI URL.
Although this is a different scenario, please check this technical guide that explains in detail how to use public facing ALB + Amazon Cognito + AWS Lambda to build a solution that handles this scenario.
Relevant content
- asked a year ago
- asked 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- How can I access an Amazon EMR cluster through an application if the cluster is in a private subnet?AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 10 months ago
Hi, thanks for the help. Our company currently only allows users to assume roles and we do use a custom SAML federation method to gain access to AWS. I am also fairly new to AWS and the networking aspect so I have a few questions.
So when I access the UI through the link provided in the MWAA console it is taking me directly to the VPC endpoint DNS is that correct? This is a custom domain? We didn't setup anything custom and from my understanding MWAA setup a VPC endpoint that is associated to the IP address for the web server in each subnet (2 total). Why exactly do I receive an error stating
This site can't be reached
at this point?When I access the ALB A-record it forwards the request to the target group (MWAA Webserver VPC endpoint IPs)? Here it asks me to authenticate via
AWS Management Console SSO
. We only use assume IAM role capabilities at this stage but the role I am assuming prior to accessing the ALB has the ability to generate the web token with the IAM permission forairflow:CreateWebLoginToken
. After authenticating the browser URL changes to####-vpce.c71.us-east-1.airflow.amazonaws.com/aws_mwaa/aws-console-sso?login=true#<WEB_TOKEN>
so it seems like I am able to get the web token and I am re-directed to the VPC endpoint DNS. I guess I just don't understand here why this also fails.In what use-case then would the ALB be needed? We would ideally like to have the ALB/link in the MWAA console as our access method for end users.
Is there anyway we can still use the UI link from the MWAA console to generate the token but then forward users to the proper location?
I am able to use the AWS CLI and generate a web token for MWAA. I then build the URL as described in the MWAA docs with my generated token. The airflow UI starts to load and then it says Forbidden. I inspected my token in a JWT browser and it shows:
{ "aud": "web", "roles": "Admin", "exp": 1662135243, "user": "assumed-role/AWSReservedSSO_AWSAdministratorAcceaz5WEAHXskQftf7p" }
So what am I doing wrong?