ashb commented on code in PR #29623: URL: https://github.com/apache/airflow/pull/29623#discussion_r1113244622
########## airflow/providers/amazon/aws/hooks/base_aws.py: ########## @@ -312,19 +312,35 @@ def _get_web_identity_credential_fetcher( base_session = self.basic_session._session or botocore.session.get_session() client_creator = base_session.create_client federation = self.extra_config.get("assume_role_with_web_identity_federation") - if federation == "google": - web_identity_token_loader = self._get_google_identity_token_loader() - else: - raise AirflowException( - f'Unsupported federation: {federation}. Currently "google" only are supported.' - ) + + web_identity_token_loader = ( + { + "file": self._get_file_token_loader, + "google": self._get_google_identity_token_loader, + }.get(federation)() + if type(federation) == str + else None + ) Review Comment: Speaking to strictly a user feature point of view: Supporting this feature in Airflow connections that work with any AWS operator is a huge win. So the DAG approach you have right now isn't really viable, not for users who aren't proficient in Python -- which lets not forget is many Airflow users. So lets state my ground truth: Being able to configure an AWS connection exclusively through the Airflow UI to use a web identity token, that can then be used with all existing AWS operators, is a good feature and one we will accept. We can talk about implementation details, but "just write a python operator do to it" is not an answer to this problem. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@airflow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org