How to access AWS services from Astronomer deployments using STS assume role?

sushanth_ca · February 8, 2024, 4:25pm

Each of the deployments come with a workload identity when we create the deployment. I have another iam role in an AWS account that has access to specific secret in secretmanager and to an s3 bucket.
I want the deployment workload identity to do an sts and then access the corresponding AWS resources.

I followed Astronomer’s documentation
Authorize an Astro Deployment to cloud resources using workload identity | Astronomer Documentation . But this doesn’t work. As per the documentation Astronomer deployment workload identity will automatically do as STS, but it doesn’t happen in reality.

Any guidance is appreciated

manmeet · February 16, 2024, 2:48pm

Hello @sushanth_ca

Could you verify the following:

You created a role with permissions to access the S3 bucket and the AWS Secret Manager
You edited the Trust Relationship of the Role to include the WI of the Deployment to assume the role
You created a connection with the Role you created in Step #1 and it’s associated region
You are using the connection created in Step #3 in your DAG.

Also, could you please share the error you are getting in the Task Log.

Thanks
Manmeet

Topic		Replies	Views
Can I integrate IAM roles with Astronomer? Astronomer Software (Enterprise)	1	3061	June 16, 2020
Best Practice for interacting with AWS Services from Astro CLI local Astro CLI	3	2493	September 16, 2021
Airflow Connection to AWS Aurora DB w/IAM role Airflow	1	3162	August 11, 2021
How to view Astronomer users on cloud / enterprise?	2	1860	November 2, 2020
Airflow Deployment permission denied Astronomer Software (Enterprise)	0	2419	July 23, 2020

How to access AWS services from Astronomer deployments using STS assume role?

Related topics