This article explains how to integrate OpenID Connect (OIDC) single sign-on with Amazon MWAA for secure, centralized access across multiple Apache Airflow environments.

• Uses Application Load Balancer with OIDC provider for SSO authentication to MWAA UI
• Supports both public internet and private VPC access modes for MWAA environments
• Lambda function verifies JWT tokens and authorizes users via DynamoDB role mappings
• AWS CDK infrastructure-as-code solution automates setup for single or multiple MWAA environments
• Eliminates need for AWS credentials; users authenticate with existing organizational identity provider
• Supports VPC peering for private MWAA environments and custom Apache Airflow RBAC roles
• Includes logout functionality and post-deployment configuration steps

This solution enables organizations to provide unified OIDC-based SSO access to Apache Airflow across multiple MWAA environments without managing separate credentials.