Reputation: 9
Authentication from external source
Issue with MWAA API Access from IICS (Informatica Intelligent Cloud Services)
I'm attempting to call the MWAA REST endpoint (/events/datasets) from IICS (Informatica Intelligent Cloud Services).
MWAA (Managed Workflows for Apache Airflow) is hosted inside an AWS VPC.
The MWAA Web UI is publicly accessible (hosted in a public subnet), but the web server itself is inside a private subnet, making it inaccessible for direct API communication. IICS runtime environment is also hosted on AWS but not within the same instance or VPC as MWAA.
I've set up the integration as follows:
- Created a connection in IICS using the relevant Swagger file (describing the API endpoint, request method, and required parameters).
- Configured a business service that leverages this connection to perform the API call. No authentication method was specified in the connection configuration.
Issue Encountered
When running the task, I receive a 200 response, but instead of the expected API response, I get redirected to the Microsoft authentication page.
My organization uses Microsoft authentication (SSO) to access the MWAA Web UI. This suggests that the API request is being redirected to the authentication page instead of processing the request.
Potential Solutions I'm considering:
- Whitelist the IICS Runner IP & Configure Access to MWAA
Since the API call is made from outside the AWS VPC, the standard InvokeRestApi action (which usually works when calling APIs inside AWS) may not be useful. AWS suggests configuring the aws:SourceVpc key to allow external access to the private VPC, but I am unsure where and how to configure this.
Would whitelisting the IICS runner's IP address help establish a connection to MWAA?
- Use a Web Server Access Token for Authentication
AWS allows generating a web server access token to authenticate API requests. IICS has a component to execute AWS CLI commands, which might be used to generate this token. Once authenticated via the web server token, subsequent API requests might work.
- What is the correct approach to allow external services like IICS to access MWAA's private API endpoints?
- Where and how can I configure the aws:SourceVpc key to allow this interaction? (and is it really usefull?)
- Is the web server token approach the best way to handle authentication in this case?
Any insights or alternative solutions would be greatly appreciated!
Upvotes: -1
Views: 16
Answers (0)
Related Questions
- AWS Private Link vs VPC Endpoint
- Publicly accessing AWS RDS from outside VPC
- Unable to access newly created Airflow UI MWAA
- Can only a private subnet access services via VPC Endpoint?
- Unable to Access IAM AWS Service Endpoint in a private subnet using a Private Link of VPC Endpoint
- Connect AWS Amplify React Dashboard to backend services in private VPC
- Request times out when try to assume a role with AWS sts from a private subnet using a VPC Endpoint
- AWS MWAA Cloudformation stack creation failed with NotStabilized