Skip to content

feat: AWS Cross-Account IAM Authentication for Aurora#37585

Merged
betodealmeida merged 8 commits into
masterfrom
aurora-aws-iam
Jan 31, 2026
Merged

feat: AWS Cross-Account IAM Authentication for Aurora#37585
betodealmeida merged 8 commits into
masterfrom
aurora-aws-iam

Conversation

@betodealmeida
Copy link
Copy Markdown
Member

@betodealmeida betodealmeida commented Jan 30, 2026
edited
Loading

SUMMARY

This PR adds AWS cross-account IAM authentication support for Aurora PostgreSQL, Aurora MySQL, Redshift Serverless, and provisioned Redshift clusters. This eliminates the need to store long-lived database credentials in Superset by using AWS STS AssumeRole to obtain temporary credentials.

Key changes:

  • New AWSIAMAuthMixin class in superset/db_engine_specs/aws_iam.py that handles:
    • Cross-account role assumption via STS AssumeRole
    • RDS IAM auth token generation for Aurora databases
    • Redshift credential generation for both Serverless and provisioned clusters
    • Credential caching (50-min TTL) to reduce STS API calls
    • Actionable error messages for common IAM misconfigurations
  • Updated engine specs (PostgresEngineSpec, MySQLEngineSpec, RedshiftEngineSpec) to support IAM auth via encrypted_extra configuration
  • New AuroraPostgresEngineSpec and AuroraMySQLEngineSpec classes for explicit Aurora support
  • Sensitive field masking for role_arn and external_id in the UI

Configuration example:

  {
    "aws_iam": {
      "enabled": true,
      "role_arn": "arn:aws:iam::DATA_ACCOUNT_ID:role/SupersetDatabaseAccess",
      "external_id": "your-unique-external-id",
      "region": "us-east-1",
      "db_username": "superset_iam_user"
    }
  }

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

@github-actions github-actions Bot added the doc Namespace | Anything related to documentation label Jan 30, 2026
@netlify
Copy link
Copy Markdown

netlify Bot commented Jan 30, 2026
edited
Loading

Deploy Preview for superset-docs-preview ready!

Name Link
🔨 Latest commit 3f54de5
🔍 Latest deploy log https://app.netlify.com/projects/superset-docs-preview/deploys/697d35a0bf97c4000844d3a9
😎 Deploy Preview https://deploy-preview-37585--superset-docs-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@github-actions github-actions Bot removed the doc Namespace | Anything related to documentation label Jan 30, 2026
@betodealmeida betodealmeida marked this pull request as ready for review January 30, 2026 20:58
@dosubot dosubot Bot added authentication Related to authentication data:connect Namespace | Anything related to db connections / integrations labels Jan 30, 2026
codeant-ai-for-open-source[bot]
codeant-ai-for-open-source Bot reviewed Jan 30, 2026
View reviewed changes
Comment thread superset/db_engine_specs/aws_iam.py Outdated
Comment thread superset/db_engine_specs/mysql.py
Comment thread superset/db_engine_specs/mysql.py Outdated
Comment thread superset/db_engine_specs/postgres.py
Comment thread superset/db_engine_specs/redshift.py
Comment thread tests/unit_tests/db_engine_specs/test_aws_iam.py Outdated
@github-actions github-actions Bot added the doc Namespace | Anything related to documentation label Jan 30, 2026
bito-code-review[bot]
bito-code-review Bot reviewed Jan 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@bito-code-review bito-code-review Bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Agent Run #a37de5

Actionable Suggestions - 1
  • superset/db_engine_specs/aws_iam.py - 1
Review Details
  • Files reviewed - 12 · Commit Range: 8d189af..c56bf89
    • .pre-commit-config.yaml
    • pyproject.toml
    • requirements/development.txt
    • superset/db_engine_specs/aurora.py
    • superset/db_engine_specs/aws_iam.py
    • superset/db_engine_specs/mysql.py
    • superset/db_engine_specs/postgres.py
    • superset/db_engine_specs/redshift.py
    • tests/unit_tests/db_engine_specs/test_aurora.py
    • tests/unit_tests/db_engine_specs/test_aws_iam.py
    • tests/unit_tests/db_engine_specs/test_mysql_iam.py
    • tests/unit_tests/db_engine_specs/test_redshift_iam.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Comment thread superset/db_engine_specs/aws_iam.py
@bito-code-review
Copy link
Copy Markdown
Contributor

bito-code-review Bot commented Jan 30, 2026
edited
Loading

Code Review Agent Run #6347c2

Actionable Suggestions - 0
Review Details
  • Files reviewed - 13 · Commit Range: 1b3ca11..3f54de5
    • .pre-commit-config.yaml
    • pyproject.toml
    • requirements/development.txt
    • superset/config.py
    • superset/db_engine_specs/aurora.py
    • superset/db_engine_specs/aws_iam.py
    • superset/db_engine_specs/mysql.py
    • superset/db_engine_specs/postgres.py
    • superset/db_engine_specs/redshift.py
    • tests/unit_tests/db_engine_specs/test_aurora.py
    • tests/unit_tests/db_engine_specs/test_aws_iam.py
    • tests/unit_tests/db_engine_specs/test_mysql_iam.py
    • tests/unit_tests/db_engine_specs/test_redshift_iam.py
  • Files skipped - 1
    • docs/static/feature-flags.json - Reason: Filter setting
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Vitor-Avila
Vitor-Avila approved these changes Jan 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Vitor-Avila Vitor-Avila left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm! left non-blocking comments

Comment thread superset/db_engine_specs/aws_iam.py
import boto3
from botocore.exceptions import ClientError
except ImportError as ex:
raise SupersetSecurityException(
Copy link
Copy Markdown
Contributor

@Vitor-Avila Vitor-Avila Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Do you think it makes sense to add boto3 as an entry to optional-dependencies as well? https://github.com/apache/superset/blob/master/pyproject.toml#L114

Copy link
Copy Markdown
Contributor

@Vitor-Avila Vitor-Avila Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that could also update the pip install message

Comment thread superset/db_engine_specs/aws_iam.py
Comment on lines +242 to +248
raise SupersetSecurityException(
SupersetError(
message="boto3 is required for AWS IAM authentication.",
error_type=SupersetErrorType.GENERIC_DB_ENGINE_ERROR,
level=ErrorLevel.ERROR,
)
) from ex
Copy link
Copy Markdown
Contributor

@Vitor-Avila Vitor-Avila Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm seeing here we don't have the "Install it with: pip install boto3" portion. Is that intentional? I was thinking if there was any way to make this DRYer (like in a util method or decorator) but I think the local import needs to be on the method using it, right?

Comment thread superset/db_engine_specs/aws_iam.py
class AWSIAMConfig(TypedDict, total=False):
"""Configuration for AWS IAM authentication."""

enabled: bool
Copy link
Copy Markdown
Contributor

@Vitor-Avila Vitor-Avila Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiosity, what would be the use-case for setting it up with enabled=False?

@betodealmeida betodealmeida merged commit 05c2354 into master Jan 31, 2026
79 checks passed
@betodealmeida betodealmeida deleted the aurora-aws-iam branch January 31, 2026 00:18
alexandrusoare pushed a commit that referenced this pull request Feb 3, 2026
@betodealmeida @alexandrusoare
feat: AWS Cross-Account IAM Authentication for Aurora (#37585)
18d554c
aminghadersohi pushed a commit to aminghadersohi/superset that referenced this pull request Mar 5, 2026
@betodealmeida @aminghadersohi
feat: AWS Cross-Account IAM Authentication for Aurora (apache#37585)
faed599
alex-poor pushed a commit to alex-poor/superset that referenced this pull request Mar 15, 2026
@betodealmeida @alex-poor
feat: AWS Cross-Account IAM Authentication for Aurora (apache#37585)
b1b2058
rusackas pushed a commit that referenced this pull request Apr 17, 2026
@claude
docs: Superset 6.1 documentation catch-up — batch 5
3153cf9 
Cover remaining 6.1 features across existing and new pages:

MCP server:
- Add MCP_PARSE_REQUEST_ENABLED to configuration reference
- Add Audit Events section (MCP tool calls appear in Action Log)
- Add Tool Pagination section documenting cursor-based pagination (#37674)

Using AI with Superset:
- Expand Available Tools Reference into categorized sections covering
  all new tools added in the MCP tool library expansion
- Document preview-first workflow for generate_chart / update_chart

Creating Your First Dashboard:
- AG Grid server-side column filters (#35683): filter types, AND/OR logic,
  pagination interaction
- Time Shift for AG Grid Interactive Table (#37072)
- Dynamic currency formatting via currency_code_column dataset field (#36416)
- ECharts option editor in Explore for JSON overrides (#37868)
- Table chart: export behavior with search filter active (#36281)
- Dataset folders: organizing datasets into groups (#36239)
- PWA file handler: opening CSV/XLS/Parquet from OS file manager (#36191)
- Share database connection option when adding a new database (#37940)

Exploring Data:
- Dialect-aware Format SQL (applies selected database dialect) (#39393)
- SQL Lab tips section and time range natural language expressions
  (consolidates content from batch 4 for master branch)

Importing/Exporting:
- Dashboard import overwrite behavior: charts are replaced not duplicated (#36551)
- UUID in REST API POST responses for dataset/chart/dashboard (#37806)

New pages:
- docs/docs/using-superset/embedding.mdx: embedded SDK quick start,
  resolvePermalinkUrl callback (#36924),
  DISABLE_EMBEDDED_SUPERSET_LOGOUT feature flag (#37537),
  URL parameters, guest token security notes
- docs/admin_docs/configuration/aws-iam.mdx: cross-account IAM
  authentication for Aurora and Redshift via STS AssumeRole (#37585),
  configuration reference, trust policy setup guide

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@rusackas rusackas mentioned this pull request Apr 17, 2026
Merged
6 tasks
qfcwell pushed a commit to qfcwell/superset that referenced this pull request May 12, 2026
@betodealmeida
feat: AWS Cross-Account IAM Authentication for Aurora (apache#37585)
2d60ef1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Vitor-Avila Vitor-Avila Vitor-Avila approved these changes

+2 more reviewers

@bito-code-review bito-code-review[bot] bito-code-review[bot] left review comments

@codeant-ai-for-open-source codeant-ai-for-open-source[bot] codeant-ai-for-open-source[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

authentication Related to authentication data:connect Namespace | Anything related to db connections / integrations doc Namespace | Anything related to documentation size/XXL

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@betodealmeida @Vitor-Avila