How can I create a iam.Role that is self-assuming?...
# aws
i
How can I create a iam.Role that is self-assuming? the assumeRolePolicy would need to reference itself, which it cannot do
b
can you explain a little more what you’re trying to do? why do you need a role that is self assuming?
i
This is to implement a role for databricks: https://docs.databricks.com/data-governance/unity-catalog/manage-external-locations-and-credentials.html (see the second bullet point under Step 1)
b
you’d need to create the role with an explicit name, you couldn’t reference it with a variable. Something like
Copy code
const role = new aws.iam.Role("role", {
  name: "myRole"
  assumeRolePolicy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Sid: "",
        Effect: "Allow",
        Principal: {
          AWS: ""arn:aws:iam::123456789012:role/myRole""
        },
        Action: "sts:AssumeRole",
      },
    ],
  }),
  managedPolicyArns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ],
});
i
Ah okay, I was also thinking to maybe just put a wildcard where the pulumi-generated hash usually goes.. e.g.
new aws.iam.Role('xyz',…
and then
arn:aws:iam::123:role/xyz-*
?
that way it would work across multiple environments (just, less securely hehe)
b
that might work, but ymmv
i
your suspicions were correct - it didn’t work 😔 because you can’t use partial wildcards in a principal ARN. I used your approach of statically naming the resource, but also appended
pulumi.getStack()
to the end of the name
that didn’t work either because the policy references the role before it exists… looking up some terraform posts and this is a very hard thing to do, I think in my case I’ll just comment out the role, run
up
then uncomment and run
up
again
b
You should be able to define the policy as a different role, use a waiter inside an apply to block the policy creation and then attach the policy via role policy attachment resource
i
unfortunately this is for the
assumeRolePolicy
aka ‘trust relationships’ and I don’t think this type of policy supports lazy attachment (unlike inline/managed)
b
Ah how funny
I guess you could create a cloudformation stack which creates an IAM role?
h
@icy-controller-6092 are able to resolve this issue, i am facing it right now wondering whether you can share the steps to approach to solve it, Thanks
i
hi @hallowed-fireman-90476 - I don't have a nice solution sorry, I comment out the self-reference and do a deploy, and then comment it back in & do another deploy
h
Even that how you did because i cannot modify the existing role assume policy
Copy code
def public_read_policy_for_bucket(role_arn=None):
    if role_arn is None:
        return json.dumps(
            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"
                            ]
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {"StringEquals": {"sts:ExternalId": test}},
                    }
                ],
            }
        )
    else:
        return Output.json_dumps(
            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
                                Output.format(role_arn),
                            ]
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {"StringEquals": {"sts:ExternalId": test}},
                    }
                ],
            }
        )


role = aws.iam.Role(
    resource_name="Creating role for the Databricks metastore credentials",
    name="venkat-test-role",
    assume_role_policy=public_read_policy_for_bucket(),
    description="Grants Databricks metastore access to the root bucket",
)


aws.iam.Role(
    resource_name="Updating the Databricks metastore credentials 1",
    name="venkat-test-role",
    assume_role_policy=public_read_policy_for_bucket(role.arn),
    opts=pulumi.ResourceOptions( replace_on_changes=["*"], delete_before_replace=False),
)
The error i am getting the role is already exist