NiFi supports SAML and OIDC for SSO so you could use AWS Cognito or another
identity management solution like Keycloak but NiFi itself doesn’t support IAM
authentication like AWS RDS and OpenSearch do.
Thanks
Shawn
On Mar 17, 2023, at 9:51 AM, James McMahon wrote:
Hello. We run nifi on an AWS EC2 instance. I currently employ certs for nifi
user authentication. The CA is in our nifi truststore. Users install certs
issued by the CA in their browsers. I've set up a parsing pattern in
nifi.properties to extract user identities from the CN of the cert, and I
employ those user identities to compare against entries in nifi policies and
nifi groups to authorize what each user is entitled to do within nifi.
My team lead has asked whether we can replace the CA and certificates
dependency with AWS IAM, and it is not clear to me that such a change would be
possible. Can anyone refer me to a guide that shows whether IAM can supplant
authentication to NiFi by cert and authorization by IAM identity against nifi
user and group policies?
It seems to me that IAM is ideal for identity and access management to AWS
resources. For example, we can set up roles to permit and control access to S3
buckets, or to control access to services like AWS Lambda. But IAM is not
intended to be used as a CA or as an authorization mechanism to/within nifi. Am
I mistaken?
Thank you in advance.