workaround to achieve multi-tenancy using ci/cd pipeline

[subinjp]

If users from multiple aws accounts have DAG in a single mwaa environment, It is important to restrict the users based on what aws resources they can access based on DAG level. @garystafford could we do this by adding a validation step in the ci/cd pipeline to check if the DAG policies are met by the users who write the DAGs?

[garystafford]

If this cannot can't be accomplished using AWS IAM or from within Airflow natively, then using a validation step in your CI/CD is logical. You could store permissions in a k/v store, like DynamoDB, and then query from the pipeline to validate user/DAG permissions.