<#CRH5ENVDX|aws> kind of stuck, really appreciate ...
# aws
h
#aws kind of stuck, really appreciate some help. Trying to create a role with self assuming trusted policy (assume policy) tried all the option none worked
Copy code
def public_read_policy_for_bucket(role_arn=None):
    if role_arn is None:
        return json.dumps(
            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"
                            ]
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {"StringEquals": {"sts:ExternalId": test}},
                    }
                ],
            }
        )
    else:
        return Output.json_dumps(
            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
                                Output.format(role_arn),
                            ]
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {"StringEquals": {"sts:ExternalId": test}},
                    }
                ],
            }
        )


role = aws.iam.Role(
    resource_name="Creating role for the Databricks metastore credentials",
    name="venkat-test-role",
    assume_role_policy=public_read_policy_for_bucket(),
    description="Grants Databricks metastore access to the root bucket",
)


aws.iam.Role(
    resource_name="Updating the Databricks metastore credentials 1",
    name="venkat-test-role",
    assume_role_policy=public_read_policy_for_bucket(role.arn),
    opts=pulumi.ResourceOptions( replace_on_changes=["*"], delete_before_replace=False),
)
Also tried this option as well https://pulumi-community.slack.com/archives/CRH5ENVDX/p1677456080396849?thread_ts=1677393469.008329&cid=CRH5ENVDX
#aws Really appreciate any suggestions/feedback, not able to proceed further
The below solution worked for me
Copy code
def public_read_policy_for_bucket2():
        return json.dumps(
            {
            "Version": "2012-10-17",
            "Statement": [
                {
                "Effect": "Allow",
                "Principal": {
                    "AWS": [
                    "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
                    ]
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                    "sts:ExternalId": {Databricks}
                    }
                }
                },
                {
                "Effect": "Allow",
                "Principal": {
                    "AWS": [
                    f"arn:aws:iam::{aws_id}:root",
                    ]
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "ArnLike": {
                    "aws:PrincipalArn": f"arn:aws:iam::{aws_id}:role/venkat-test-role"
                    }
                }
                }
            ]
            }
        )

# print(public_read_policy_for_bucket2)

role = aws.iam.Role(
    resource_name="Creating role for the Databricks metastore credentials",
    name="test-role",
    assume_role_policy=public_read_policy_for_bucket2(),
    description="Grants Databricks metastore access to the root bucket",
)