feat: add dev airflow roles & groups for webserver client#191
Merged
sandrahoang686 merged 5 commits intofeat/airflow-webserver-clientfrom Feb 19, 2026
Merged
Conversation
Diff for stage: DefaultStageWarning 1 Destructive Changes Diff for stack: veda-keycloak-dev - 0 to add, 3 to update, 0 to destroy ❌Details
Resources
[~] AWS::ECS::TaskDefinition configConfigTaskDef650ED3A2 replace
└─ [~] ContainerDefinitions (requires replacement)
└─ @@ -28,7 +28,7 @@
[ ] ],
[ ] "Essential": true,
[ ] "Image": {
[-] "Fn::Sub": "853558080719.dkr.ecr.us-west-2.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-853558080719-us-west-2:108a527be621fe9c36686c48a1f61cbe18e8406a2a5b5ec910d846948358d99b"
[+] "Fn::Sub": "853558080719.dkr.ecr.us-west-2.${AWS::URLSuffix}/cdk-hnb659fds-container-assets-853558080719-us-west-2:c2120f66f2c98393141f72e3b50fa0fe159624134dea4fa7967462b7105cb1e8"
[ ] },
[ ] "LogConfiguration": {
[ ] "LogDriver": "awslogs",
@@ -71,13 +71,13 @@
[ ] }
[ ] },
[ ] {
[-] "Name": "GHGC_AIRFLOW_STAC_ETL_CLIENT_ID",
[+] "Name": "JUPYTERHUB_MAAP_CLIENT_ID",
[ ] "ValueFrom": {
[ ] "Fn::Join": [
[ ] "",
[ ] [
[ ] {
[-] "Ref": "configghgcairflowstacetlclientsecret51E33BCC"
[+] "Ref": "configjupyterhubmaapclientsecretD6DDBC4E"
[ ] },
[ ] ":id::"
[ ] ]
@@ -85,13 +85,13 @@
[ ] }
[ ] },
[ ] {
[-] "Name": "GHGC_AIRFLOW_STAC_ETL_CLIENT_SECRET",
[+] "Name": "JUPYTERHUB_MAAP_CLIENT_SECRET",
[ ] "ValueFrom": {
[ ] "Fn::Join": [
[ ] "",
[ ] [
[ ] {
[-] "Ref": "configghgcairflowstacetlclientsecret51E33BCC"
[+] "Ref": "configjupyterhubmaapclientsecretD6DDBC4E"
[ ] },
[ ] ":secret::"
[ ] ]
@@ -99,34 +99,6 @@
[ ] }
[ ] },
[ ] {
[-] "Name": "GHGC_AIRFLOW_INGEST_API_ETL_CLIENT_ID",
[-] "ValueFrom": {
[-] "Fn::Join": [
[-] "",
[-] [
[-] {
[-] "Ref": "configghgcairflowingestapietlclientsecretE163E385"
[-] },
[-] ":id::"
[-] ]
[-] ]
[-] }
[-] },
[-] {
[-] "Name": "GHGC_AIRFLOW_INGEST_API_ETL_CLIENT_SECRET",
[-] "ValueFrom": {
[-] "Fn::Join": [
[-] "",
[-] [
[-] {
[-] "Ref": "configghgcairflowingestapietlclientsecretE163E385"
[-] },
[-] ":secret::"
[-] ]
[-] ]
[-] }
[-] },
[-] {
[ ] "Name": "GRAFANA_CLIENT_ID",
[ ] "ValueFrom": {
[ ] "Fn::Join": [
@@ -351,13 +323,13 @@
[ ] }
[ ] },
[ ] {
[-] "Name": "JUPYTERHUB_MAAP_CLIENT_ID",
[+] "Name": "GHGC_AIRFLOW_STAC_ETL_CLIENT_ID",
[ ] "ValueFrom": {
[ ] "Fn::Join": [
[ ] "",
[ ] [
[ ] {
[-] "Ref": "configjupyterhubmaapclientsecretD6DDBC4E"
[+] "Ref": "configghgcairflowstacetlclientsecret51E33BCC"
[ ] },
[ ] ":id::"
[ ] ]
@@ -365,13 +337,13 @@
[ ] }
[ ] },
[ ] {
[-] "Name": "JUPYTERHUB_MAAP_CLIENT_SECRET",
[+] "Name": "GHGC_AIRFLOW_STAC_ETL_CLIENT_SECRET",
[ ] "ValueFrom": {
[ ] "Fn::Join": [
[ ] "",
[ ] [
[ ] {
[-] "Ref": "configjupyterhubmaapclientsecretD6DDBC4E"
[+] "Ref": "configghgcairflowstacetlclientsecret51E33BCC"
[ ] },
[ ] ":secret::"
[ ] ]
@@ -379,6 +351,34 @@
[ ] }
[ ] },
[ ] {
[+] "Name": "GHGC_AIRFLOW_INGEST_API_ETL_CLIENT_ID",
[+] "ValueFrom": {
[+] "Fn::Join": [
[+] "",
[+] [
[+] {
[+] "Ref": "configghgcairflowingestapietlclientsecretE163E385"
[+] },
[+] ":id::"
[+] ]
[+] ]
[+] }
[+] },
[+] {
[+] "Name": "GHGC_AIRFLOW_INGEST_API_ETL_CLIENT_SECRET",
[+] "ValueFrom": {
[+] "Fn::Join": [
[+] "",
[+] [
[+] {
[+] "Ref": "configghgcairflowingestapietlclientsecretE163E385"
[+] },
[+] ":secret::"
[+] ]
[+] ]
[+] }
[+] },
[+] {
[ ] "Name": "GH_CLIENT_ID",
[ ] "ValueFrom": "arn:aws:secretsmanager:us-west-2:853558080719:secret:veda-keycloak-gh-oauth-creds-dXqTIU:id::"
[ ] },
[~] AWS::IAM::Policy configConfigTaskDefExecutionRoleDefaultPolicyB2F7D3D0
└─ [~] PolicyDocument
└─ [~] .Statement:
└─ @@ -54,7 +54,7 @@
[ ] ],
[ ] "Effect": "Allow",
[ ] "Resource": {
[-] "Ref": "configghgcairflowstacetlclientsecret51E33BCC"
[+] "Ref": "configjupyterhubmaapclientsecretD6DDBC4E"
[ ] }
[ ] },
[ ] {
@@ -64,7 +64,7 @@
[ ] ],
[ ] "Effect": "Allow",
[ ] "Resource": {
[-] "Ref": "configghgcairflowingestapietlclientsecretE163E385"
[+] "Ref": "configgrafanaclientsecretA8C7647C"
[ ] }
[ ] },
[ ] {
@@ -74,7 +74,7 @@
[ ] ],
[ ] "Effect": "Allow",
[ ] "Resource": {
[-] "Ref": "configgrafanaclientsecretA8C7647C"
[+] "Ref": "configairflowstacetlclientsecret4D03E787"
[ ] }
[ ] },
[ ] {
@@ -84,7 +84,7 @@
[ ] ],
[ ] "Effect": "Allow",
[ ] "Resource": {
[-] "Ref": "configairflowstacetlclientsecret4D03E787"
[+] "Ref": "configairflowingestapietlclientsecret9171EF20"
[ ] }
[ ] },
[ ] {
@@ -94,7 +94,7 @@
[ ] ],
[ ] "Effect": "Allow",
[ ] "Resource": {
[-] "Ref": "configairflowingestapietlclientsecret9171EF20"
[+] "Ref": "configjupyterhubdisastersclientsecret7640859E"
[ ] }
[ ] },
[ ] {
@@ -104,7 +104,7 @@
[ ] ],
[ ] "Effect": "Allow",
[ ] "Resource": {
[-] "Ref": "configjupyterhubdisastersclientsecret7640859E"
[+] "Ref": "configingestuiclientsecretFE3C4C92"
[ ] }
[ ] },
[ ] {
@@ -114,7 +114,7 @@
[ ] ],
[ ] "Effect": "Allow",
[ ] "Resource": {
[-] "Ref": "configingestuiclientsecretFE3C4C92"
[+] "Ref": "configdiscourseforumclientsecretBF20DC0A"
[ ] }
[ ] },
[ ] {
@@ -124,7 +124,7 @@
[ ] ],
[ ] "Effect": "Allow",
[ ] "Resource": {
[-] "Ref": "configdiscourseforumclientsecretBF20DC0A"
[+] "Ref": "configumaresourceserverclientsecret18087D88"
[ ] }
[ ] },
[ ] {
@@ -134,7 +134,7 @@
[ ] ],
[ ] "Effect": "Allow",
[ ] "Resource": {
[-] "Ref": "configumaresourceserverclientsecret18087D88"
[+] "Ref": "configearthgovcmsclientsecret90151005"
[ ] }
[ ] },
[ ] {
@@ -144,7 +144,7 @@
[ ] ],
[ ] "Effect": "Allow",
[ ] "Resource": {
[-] "Ref": "configearthgovcmsclientsecret90151005"
[+] "Ref": "configghgcairflowstacetlclientsecret51E33BCC"
[ ] }
[ ] },
[ ] {
@@ -154,7 +154,7 @@
[ ] ],
[ ] "Effect": "Allow",
[ ] "Resource": {
[-] "Ref": "configjupyterhubmaapclientsecretD6DDBC4E"
[+] "Ref": "configghgcairflowingestapietlclientsecretE163E385"
[ ] }
[ ] },
[ ] {
[~] AWS::CloudFormation::Stack sesrelayNestedStacksesrelayNestedStackResource3873FD90
└─ [~] TemplateURL
└─ [~] .Fn::Join:
└─ @@ -5,6 +5,6 @@
[ ] {
[ ] "Ref": "AWS::URLSuffix"
[ ] },
[-] "/cdk-hnb659fds-assets-853558080719-us-west-2/c6c8e5c99a03a9ca805f8f7bea079772bac095cd69c9f584486ece55a27c407d.json"
[+] "/cdk-hnb659fds-assets-853558080719-us-west-2/a1575ac7d3275ccb5db957093b3c9487636544642eda51ffb759c5fe9ac46353.json"
[ ] ]
[ ] ]
Generated for commit 5f0c1e1 at 2026-02-19T18:52:29.453Z |
sandrahoang686
commented
Feb 18, 2026
| - name: Viewer | ||
| description: Limited read permissions | ||
| - name: Dag_Launcher | ||
| description: Programmatic DAG runs |
Contributor
Author
There was a problem hiding this comment.
🗒️ : I've stripped the pre-fix airflow-* and just used the same pattern we currently have for other roles and from the airflow docs. I'm aware that these are mapped like so - here though. Hopefully this is okay?
Contributor
There was a problem hiding this comment.
I think this is fine but would need to be reflected in the mapping you linked as well
sandrahoang686
commented
Feb 18, 2026
| - Editor | ||
| airflow-webserver-fab: | ||
| - Admin | ||
| - Dag_Launcher |
Contributor
Author
There was a problem hiding this comment.
I was unsure how to map Dag_Launcher, lmk if it should be mapped elsewhere.
Contributor
There was a problem hiding this comment.
We should map it to a service account, and make sure we adjust the scripts in veda-data before we push the keycloak changes to prod.
By setting serviceAccountsEnabled: true on the client, we can add a service account like this:
users:
- username: service-account-airflow-webserver-fab
emailVerified: true
enabled: true
serviceAccountClientId: airflow-webserver-fab
clientRoles:
airflow-webserver-fab:
- Dag_Launcher
The auth flow for our automated scripts will then look like this:
token_url = "https://<keycloak>/realms/veda/protocol/openid-connect/token"
client_id = "airflow-webserver-fab"
client_secret = "<secret>" # get this from the keycloak console after deployment
resp = requests.post(token_url, data={
"grant_type": "client_credentials",
"client_id": client_id,
"client_secret": client_secret
})
token = resp.json()["access_token"]
headers = {"Authorization": f"Bearer {token}"}
Contributor
Author
|
Also - how do i test this?? is there a way to manually deploy? |
smohiudd
reviewed
Feb 19, 2026
smohiudd
reviewed
Feb 19, 2026
smohiudd
reviewed
Feb 19, 2026
Contributor
There was a problem hiding this comment.
You'll also need to update the redirects to include:
- http://sm2a.sit.openveda.cloud/oauth-authorized/keycloak
- http://sm2a.dev.openveda.cloud/oauth-authorized/keycloak
- http://sm2a.staging.openveda.cloud/oauth-authorized/keycloak
and web origins:
Also remove the localhost for the redirect and web origins
smohiudd
approved these changes
Feb 19, 2026
sandrahoang686
deleted the
feat/airflow-webserver-fab-roles-and-groups
branch
ividito
added a commit
that referenced
this pull request
Feb 19, 2026
* feat: add dev airflow client for webserver auth testing * feat: add dev airflow roles & groups for webserver client (#191) * add roles * map roles to groups * update to pr comments * set airflow-webserver client serviceAccountsEnabled to true * Add User perms --------- Co-authored-by: sandrahoang686 <sandrahoang686@gmail.com> Co-authored-by: Saadiq Mohiuddin <34844565+smohiudd@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related to: NASA-IMPACT/veda-data-airflow#418, #185
This adds the airflow
Admin,Viewer, andDag_launcherroles and maps them to existing groups in dev.