# Get started with Amazon MWAA Serverless Getting started To create a workflow in Amazon MWAA Serverless you need an Amazon S3 Bucket and an Execution role. You can choose to provide optional KMS key, Amazon VPC and VPC Security groups. + The **Amazon S3 bucket** stores your workflow files. Your Amazon S3 bucket must block all public access and have versioning enabled. When you upload workflow files, Amazon MWAA Serverless parses these files before scheduling tasks. To learn more, refer to [Create an Amazon S3 bucket for Amazon MWAA Serverless](mwaas-s3-bucket.md). + **Execution role** enables Amazon MWAA Serverless workflow tasks to access your AWS resources. To learn more, refer to [Execution roles](get-started-execution-role.md). + (Optional) **KMS key** is used to encrypt your workflow data. If you do not provide a KMS key, Amazon MWAA Serverless will use a default key for encryption. To learn more, refer to [Using customer-managed keys for encryption](data-protection.md#data-protection-keys-certs). + (Optional) **Amazon VPC** to connect to your private resources. If you don't provide a VPC, Amazon MWAA Serverless uses a default VPC with internet connectivity. To learn more, refer to [Create your Amazon VPC network](networking-vpc.md#networking-create-vpc). + (Optional) **VPC security group** lets Amazon MWAA Serverless access other AWS resources in your VPC network. You can provide your security group information while creating a workflow. To learn more, refer to [Security in your VPC on Amazon MWAA Serverless](networking-security.md). After you complete these steps, you're ready to use Amazon MWAA Serverless. Choose one of two paths: + Initialize a workflow using the AWS CLI (you must first upload your YAML workflow file to your S3 bucket). For more information, refer to [Manage workflows](workflows.md#workflows-manage). + Migrate a Python DAG to YAML using [dag-converter](https://pypi.org/project/python-to-yaml-dag-converter-mwaa-serverless/). For more information, refer to [Convert Python DAG to YAML definition](workflows-migrate.md). # Create an Amazon S3 bucket for Amazon MWAA Serverless Create an S3 bucket Learn how to create an Amazon S3 bucket to store your workflow files. Before you begin, note that: + The Amazon S3 bucket name can't be changed after you create the bucket. To learn more, refer to [Rules for bucket naming](https://docs.aws.amazon.com/AmazonS3/latest/userguide/BucketRestrictions.html#bucketnamingrules) in the *Amazon Simple Storage Service User Guide*. + An Amazon S3 bucket that is used for an Amazon MWAA Serverless workflow must be configured to **Block all public access**. + An Amazon S3 bucket that is used for an Amazon MWAA Serverless workflow must be located in the same AWS Region as an Amazon MWAA Serverless workflow. To view a list of AWS Regions for Amazon MWAA Serverless, refer to [Amazon MWAA Serverless endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/mwaa.html) in the *AWS General Reference*. ## Create the bucket **To create an Amazon S3 bucket for your workflow:** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. Choose **Create bucket**. 1. In **Bucket name**, enter a DNS-compliant name for your bucket. The bucket name must: + Be unique across all of Amazon S3 + Contain between 3 and 63 characters + Not contain uppercase characters + Start with a lowercase letter or number **Important** Avoid including sensitive information, such as account numbers, in the bucket name. The bucket name is visible in the URLs that point to the objects in the bucket. 1. Choose an AWS Region in **Region**. This must be the same AWS Region as your Amazon MWAA Serverless workflow. 1. We recommend choosing a region close to you to minimize latency and costs and address regulatory requirements. 1. Choose **Block all public access**. 1. Choose **Enable** in **Bucket Versioning**. 1. (Optional) **Tags**. Add key-value tag pairs to identify your Amazon S3 bucket in **Tags**. For example, `Bucket` : `Staging`. 1. (Optional) **Server-side encryption**. You can optionally **Enable** one of the following encryption options on your Amazon S3 bucket. 1. Choose **Amazon S3 key (SSE-S3)** in **Server-side encryption** to enable server-side encryption for the bucket. 1. Choose **AWS Key Management Service key (SSE-KMS)** to use an AWS KMS key for encryption on your Amazon S3 bucket: 1. **AWS-managed key (aws/s3)** - If you choose this option, you can either use an [AWS-owned key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) managed by Amazon MWAA Serverless, or specify a [Customer-managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) for encryption of your Amazon MWAA Serverless workflow. 1. **Choose from your AWS KMS keys** or **Enter AWS KMS key ARN** - If you choose to specify a [Customer-managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) in this step, you must specify an AWS KMS key ID or ARN. [AWS KMS aliases and multi-region keys are not supported by Amazon MWAA Serverless](data-protection.md#data-protection-keys-certs). The AWS KMS key you specify must also be used for encryption on your Amazon MWAA Serverless workflow. 1. (Optional) **Advanced settings**. If you want to enable Amazon S3 Object Lock: 1. Choose **Advanced settings**, **Enable**. **Important** Enabling Object Lock will permanently allow objects in this bucket to be locked. To learn more, refer to [Locking Objects Using Amazon S3 Object Lock](https://docs.aws.amazon.com//AmazonS3/latest/dev/object-lock.html) in the *Amazon Simple Storage Service User Guide*. 1. Choose the acknowledgement. 1. Choose **Create bucket**. ## What's next? + Learn how to how to manage access permissions in [How do I set ACL bucket permissions?](https://docs.aws.amazon.com//AmazonS3/latest/user-guide/set-bucket-permissions.html) + Learn how to delete a storage bucket in [How do I delete an S3 Bucket?](https://docs.aws.amazon.com//AmazonS3/latest/user-guide/delete-bucket.html). + Learn how to create a Amazon VPC network for an Amazon MWAA Serverless workflow in [Networking](networking.md). # Execution roles An execution role is an AWS Identity and Access Management (IAM) role with a permissions policy that grants Amazon MWAA Serverless permission to invoke the resources of other AWS services on your behalf. This can include resources such as your Amazon S3 bucket, [AWS KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk), and CloudWatch Logs. Amazon MWAA Serverless needs one execution role per workflow. This topic describes how to use and configure the execution role to allow Amazon MWAA Serverless to access other AWS resources that are required by the workflow. Amazon MWAA Serverless workflows aquire permissions to use other AWS services from the execution role. You must grant following permissions to Amazon MWAA Serverless execution role to allow your workflos to use these AWS services: + Amazon CloudWatch (CloudWatch) to send Amazon MWAA Serverless workflow task logs to customer provided log group. + AWS Key Management Service (AWS KMS) for data encryption (using either an [AWS-owned key ](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) or your [Customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)). **Note** In order for your workflow's execution role to access arbitrary KMS keys, a KMS key in a third-party account must allow this cross-account access via its resource policy. After you choose an encryption option, you cannot change your selection for an existing workflow. ## Create an execution role You use the IAM console to create a new execution role. When you create a new execution role, do not reuse the name of a deleted execution role. Unique names can help prevent conflicts and ensure proper resource management. To create a new execution role, follow these steps: 1. Open the IAM console ([https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/)). 1. In the navigation pane, choose **Roles**. 1. Choose **Create role**. 1. For **Trusted entity type**, choose **AWS service**. 1. For **Service or use case**, choose **Amazon MWAA Serverless**. Then choose **Amazon MWAA Serverless workflow**. 1. Choose **Next**. 1. For Permissions policies, search for ** your customer managed policy**. 1. Choose the check box to the left of the **policy**, then choose Next. 1. For Role Name, enter **role name**, then choose **Create role**. You can change the execution role for your workflow at any time. If a new execution role is not already associated with your workflow, use the steps on this page to create a new execution role policy, and associate the role to your workflow. ## Update an execution role Amazon MWAA Serverless can't add or edit permission policies to an existing execution role. You must update your execution role with additional permission policies needed by your workflow when you update that workflow. For example, if your DAG requires access to AWS Glue, Amazon MWAA Serverless can't automatically detect these permissions are required by your workflow, or add the permissions to your execution role. You can add permissions to an execution role in two ways: + By modifying the JSON policy for your execution role inline. You can use the sample [JSON policy documents](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) on this page to either add to or replace the JSON policy of your execution role on the IAM console. + By creating a JSON policy for an AWS service and attaching it to your execution role. You can use the steps on this page to associate a new JSON policy document for an AWS service to your execution role on the IAM console. To view the execution role and update the JSON policy for the role on the IAM console: 1. Open the [IAM console](https://console.aws.amazon.com/iam/). 1. Choose the execution role name to open the permissions policy. 1. Choose **Edit policy**. 1. Choose the **JSON** tab. 1. Update your JSON policy. 1. Choose **Review policy**. 1. Choose **Save changes**. Assuming the execution role is already associated with your workflow, Amazon MWAA Serverless can start using the added permission policies immediately. This also means if you remove any required permissions from an execution role, your workflow might fail. ## Attach a JSON policy to use other AWS services You can create a JSON policy for an AWS service and attach it to your execution role. For example, you can attach the following JSON policy to grant read-only access to all resources in Amazon EC2. ------ #### [ JSON ] ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:GetSecurityGroupsForVpc" ], "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "autoscaling:Describe*", "Resource": "*" } ] } ``` ------ To attach a policy to your execution role: 1. Open the [IAM console](https://console.aws.amazon.com/iam). 1. Choose your execution role. 1. Choose **Attach policies**. 1. Choose **Create policy**. 1. Choose **JSON**. 1. Paste the JSON policy. 1. Choose **Next: Tags**, **Next: Review**. 1. Enter a descriptive name (such as `SecretsManagerReadPolicy`) and a description for the policy. 1. Choose **Create policy**. ## Sample JSON policies for an execution role Sample policies The sample permission policies in this section show the policy to create a new execution role that can be uses for your workflow. These policies contain [Resource ARN](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html) placeholders for Apache Airflow log groups, an [Amazon S3 bucket](mwaas-s3-bucket.md). ### Sample policy for for Amazon S3 operations The following example shows an execution role policy you can use for a S3 operations. **Note** CloudWatchLogsAccess and VPCAccess are required for all operations, while KMSAccess is optional. ------ #### [ JSON ] ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "S3OperationSpecificPermissions", "Effect": "Allow", "Action": [ "s3:*" ], "Resource": "*" }, { "Sid": "CloudWatchLogsAccess", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" }, { "Sid": "KmsAccess", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:DescribeKey" ], "Resource": "arn:aws:kms:us-east-1:111122223333:key/keyId" } ] } ``` ------ Next, you need to allow Amazon MWAA Serverless to assume this role in order to perform actions on your behalf. This can be done by adding the `"airflow-serverless.amazonaws.com"` service principal to the list of trusted entities for this execution role [using the IAM console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console), or by placing these service principals in the assume role policy document for this execution role via the IAM [create-role](https://docs.aws.amazon.com/cli/latest/reference/iam/create-role.html) command using the AWS CLI. A sample assume role policy document can be found below: ------ #### [ JSON ] ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAirflowServerlessAssumeRole", "Effect": "Allow", "Principal": { "Service": "airflow-serverless.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } ``` ------