https://pulumi.com logo
Title
i

icy-controller-6092

02/26/2023, 6:37 AM
How can I create a iam.Role that is self-assuming? the assumeRolePolicy would need to reference itself, which it cannot do
b

billowy-army-68599

02/26/2023, 5:02 PM
can you explain a little more what you’re trying to do? why do you need a role that is self assuming?
i

icy-controller-6092

02/26/2023, 11:58 PM
This is to implement a role for databricks: https://docs.databricks.com/data-governance/unity-catalog/manage-external-locations-and-credentials.html (see the second bullet point under Step 1)
b

billowy-army-68599

02/27/2023, 12:01 AM
you’d need to create the role with an explicit name, you couldn’t reference it with a variable. Something like
const role = new aws.iam.Role("role", {
  name: "myRole"
  assumeRolePolicy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Sid: "",
        Effect: "Allow",
        Principal: {
          AWS: ""arn:aws:iam::123456789012:role/myRole""
        },
        Action: "sts:AssumeRole",
      },
    ],
  }),
  managedPolicyArns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ],
});
i

icy-controller-6092

02/27/2023, 12:02 AM
Ah okay, I was also thinking to maybe just put a wildcard where the pulumi-generated hash usually goes.. e.g.
new aws.iam.Role('xyz',…
and then
arn:aws:iam::123:role/xyz-*
?
that way it would work across multiple environments (just, less securely hehe)
b

billowy-army-68599

02/27/2023, 12:03 AM
that might work, but ymmv
i

icy-controller-6092

02/27/2023, 2:35 AM
your suspicions were correct - it didn’t work 😔 because you can’t use partial wildcards in a principal ARN. I used your approach of statically naming the resource, but also appended
pulumi.getStack()
to the end of the name
that didn’t work either because the policy references the role before it exists… looking up some terraform posts and this is a very hard thing to do, I think in my case I’ll just comment out the role, run
up
then uncomment and run
up
again
b

billowy-army-68599

02/27/2023, 4:27 AM
You should be able to define the policy as a different role, use a waiter inside an apply to block the policy creation and then attach the policy via role policy attachment resource
i

icy-controller-6092

02/27/2023, 4:39 AM
unfortunately this is for the
assumeRolePolicy
aka ‘trust relationships’ and I don’t think this type of policy supports lazy attachment (unlike inline/managed)
b

billowy-army-68599

02/27/2023, 4:50 AM
Ah how funny
I guess you could create a cloudformation stack which creates an IAM role?