feat: AWS Cross-Account IAM Authentication for Aurora

.pre-commit-config.yaml

@@ -27,6 +27,7 @@ repos:
         args: [--check-untyped-defs]
         exclude: ^superset-extensions-cli/
         additional_dependencies: [
+            types-cachetools,
             types-simplejson,
             types-python-dateutil,
             types-requests,

docs/static/feature-flags.json

@@ -114,6 +114,12 @@
         "lifecycle": "testing",
         "description": "Allow users to export full CSV of table viz type. Warning: Could cause server memory/compute issues with large datasets."
       },
+      {
+        "name": "AWS_DATABASE_IAM_AUTH",
+        "default": false,
+        "lifecycle": "testing",
+        "description": "Enable AWS IAM authentication for database connections (Aurora, Redshift). Allows cross-account role assumption via STS AssumeRole. Security note: When enabled, ensure Superset's IAM role has restricted sts:AssumeRole permissions to prevent unauthorized access."
+      },
       {
         "name": "CACHE_IMPERSONATION",
         "default": false,

pyproject.toml

@@ -204,6 +204,7 @@ ydb = ["ydb-sqlalchemy>=0.1.2"]
 development = [
     # no bounds for apache-superset-extensions-cli until a stable version
     "apache-superset-extensions-cli",
+    "boto3",
     "docker",
     "flask-testing",
     "freezegun",

requirements/development.txt

@@ -76,6 +76,12 @@ blinker==1.9.0
     # via
     #   -c requirements/base-constraint.txt
     #   flask
+boto3==1.42.39
+    # via apache-superset
+botocore==1.42.39
+    # via
+    #   boto3
+    #   s3transfer
 bottleneck==1.5.0
     # via
     #   -c requirements/base-constraint.txt
@@ -460,6 +466,10 @@ jinja2==3.1.6
     #   apache-superset-extensions-cli
     #   flask
     #   flask-babel
+jmespath==1.1.0
+    # via
+    #   boto3
+    #   botocore
 jsonpath-ng==1.7.0
     # via
     #   -c requirements/base-constraint.txt
@@ -812,6 +822,7 @@ python-dateutil==2.9.0.post0
     # via
     #   -c requirements/base-constraint.txt
     #   apache-superset
+    #   botocore
     #   celery
     #   croniter
     #   flask-appbuilder
@@ -915,6 +926,8 @@ rsa==4.9.1
     #   google-auth
 ruff==0.9.7
     # via apache-superset
+s3transfer==0.16.0
+    # via boto3
 secretstorage==3.5.0
     # via keyring
 selenium==4.32.0
@@ -1066,6 +1079,7 @@ url-normalize==2.2.1
 urllib3==2.6.3
     # via
     #   -c requirements/base-constraint.txt
+    #   botocore
     #   docker
     #   requests
     #   requests-cache

superset/config.py

@@ -656,6 +656,12 @@ class D3TimeFormat(TypedDict, total=False):
     # @lifecycle: testing
     # @docs: https://superset.apache.org/docs/configuration/setup-ssh-tunneling
     "SSH_TUNNELING": False,
+    # Enable AWS IAM authentication for database connections (Aurora, Redshift).
+    # Allows cross-account role assumption via STS AssumeRole.
+    # Security note: When enabled, ensure Superset's IAM role has restricted
+    # sts:AssumeRole permissions to prevent unauthorized access.
+    # @lifecycle: testing
+    "AWS_DATABASE_IAM_AUTH": False,
     # Use analogous colors in charts
     # @lifecycle: testing
     "USE_ANALOGOUS_COLORS": False,

superset/db_engine_specs/aurora.py

@@ -54,3 +54,29 @@ class AuroraPostgresDataAPI(PostgresEngineSpec):
         "secret_arn={secret_arn}&"
         "region_name={region_name}"
     )
+
+
+class AuroraMySQLEngineSpec(MySQLEngineSpec):
+    """
+    Aurora MySQL engine spec.
+
+    IAM authentication is handled by the parent MySQLEngineSpec via
+    the aws_iam config in encrypted_extra.
+    """
+
+    engine = "mysql"
+    engine_name = "Aurora MySQL"
+    default_driver = "mysqldb"
+
+
+class AuroraPostgresEngineSpec(PostgresEngineSpec):
+    """
+    Aurora PostgreSQL engine spec.
+
+    IAM authentication is handled by the parent PostgresEngineSpec via
+    the aws_iam config in encrypted_extra.
+    """
+
+    engine = "postgresql"
+    engine_name = "Aurora PostgreSQL"
+    default_driver = "psycopg2"