How to access AWS services from Astronomer deployments using STS assume role?

sushanth_ca · February 8, 2024, 4:25pm

Each of the deployments come with a workload identity when we create the deployment. I have another iam role in an AWS account that has access to specific secret in secretmanager and to an s3 bucket.
I want the deployment workload identity to do an sts and then access the corresponding AWS resources.

I followed Astronomer’s documentation
Authorize an Astro Deployment to cloud resources using workload identity | Astronomer Documentation . But this doesn’t work. As per the documentation Astronomer deployment workload identity will automatically do as STS, but it doesn’t happen in reality.

Any guidance is appreciated

manmeet · February 16, 2024, 2:48pm

Hello @sushanth_ca

Could you verify the following:

You created a role with permissions to access the S3 bucket and the AWS Secret Manager
You edited the Trust Relationship of the Role to include the WI of the Deployment to assume the role
You created a connection with the Role you created in Step #1 and it’s associated region
You are using the connection created in Step #3 in your DAG.

Also, could you please share the error you are getting in the Task Log.

Thanks
Manmeet

Topic		Replies	Views
How to view Astronomer users on cloud / enterprise?	2	1851	November 2, 2020
Regarding Login the Astro CLI in Amazon Linux without using the Astro UI Astro CLI	1	1336	May 3, 2023
AD group mapping Astronomer	0	1655	March 9, 2021
Expose EC2 worker IAM role as output of module.astronomer-enterprise Astronomer Software (Enterprise)	0	1969	December 10, 2019
I signed up via OAUTH -- can I switch my account to use a Username/Password? Astronomer Nebula	1	1909	January 16, 2019

How to access AWS services from Astronomer deployments using STS assume role?

Related Topics