This message was deleted Pulumi Community #aws

Join Slack

This message was deleted.

# aws

sparse-intern-71089

02/26/2023, 6:37 AM

This message was deleted.

billowy-army-68599

02/26/2023, 5:02 PM

can you explain a little more what you’re trying to do? why do you need a role that is self assuming?

icy-controller-6092

02/26/2023, 11:58 PM

Hey there, I need to build a self-assuming role: https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/

icy-controller-6092

02/26/2023, 11:59 PM

This is to implement a role for databricks: https://docs.databricks.com/data-governance/unity-catalog/manage-external-locations-and-credentials.html (see the second bullet point under Step 1)

billowy-army-68599

02/27/2023, 12:01 AM

you’d need to create the role with an explicit name, you couldn’t reference it with a variable. Something like

Copy code

const role = new aws.iam.Role("role", {
  name: "myRole"
  assumeRolePolicy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Sid: "",
        Effect: "Allow",
        Principal: {
          AWS: ""arn:aws:iam::123456789012:role/myRole""
        },
        Action: "sts:AssumeRole",
      },
    ],
  }),
  managedPolicyArns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ],
});

icy-controller-6092

02/27/2023, 12:02 AM

Ah okay, I was also thinking to maybe just put a wildcard where the pulumi-generated hash usually goes.. e.g.

new aws.iam.Role('xyz',…

and then

arn:aws:iam::123:role/xyz-*

icy-controller-6092

02/27/2023, 12:03 AM

that way it would work across multiple environments (just, less securely hehe)

billowy-army-68599

02/27/2023, 12:03 AM

that might work, but ymmv

icy-controller-6092

02/27/2023, 2:35 AM

your suspicions were correct - it didn’t work 😔 because you can’t use partial wildcards in a principal ARN. I used your approach of statically naming the resource, but also appended

pulumi.getStack()

to the end of the name

👍 1

icy-controller-6092

02/27/2023, 3:59 AM

that didn’t work either because the policy references the role before it exists… looking up some terraform posts and this is a very hard thing to do, I think in my case I’ll just comment out the role, run

up

then uncomment and run

up

again

billowy-army-68599

02/27/2023, 4:27 AM

You should be able to define the policy as a different role, use a waiter inside an apply to block the policy creation and then attach the policy via role policy attachment resource

icy-controller-6092

02/27/2023, 4:39 AM

unfortunately this is for the

assumeRolePolicy

aka ‘trust relationships’ and I don’t think this type of policy supports lazy attachment (unlike inline/managed)

icy-controller-6092

02/27/2023, 4:42 AM

more info here: https://github.com/hashicorp/terraform-provider-aws/issues/7922

billowy-army-68599

02/27/2023, 4:50 AM

Ah how funny

billowy-army-68599

02/27/2023, 4:50 AM

I guess you could create a cloudformation stack which creates an IAM role?

hallowed-fireman-90476

04/10/2024, 10:43 AM

@icy-controller-6092 are able to resolve this issue, i am facing it right now wondering whether you can share the steps to approach to solve it, Thanks

icy-controller-6092

04/10/2024, 12:22 PM

hi @hallowed-fireman-90476 - I don't have a nice solution sorry, I comment out the self-reference and do a deploy, and then comment it back in & do another deploy

hallowed-fireman-90476

04/10/2024, 1:31 PM

Even that how you did because i cannot modify the existing role assume policy

hallowed-fireman-90476

04/10/2024, 1:32 PM

Copy code

def public_read_policy_for_bucket(role_arn=None):
    if role_arn is None:
        return json.dumps(
            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"
                            ]
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {"StringEquals": {"sts:ExternalId": test}},
                    }
                ],
            }
        )
    else:
        return Output.json_dumps(
            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
                                Output.format(role_arn),
                            ]
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {"StringEquals": {"sts:ExternalId": test}},
                    }
                ],
            }
        )


role = aws.iam.Role(
    resource_name="Creating role for the Databricks metastore credentials",
    name="venkat-test-role",
    assume_role_policy=public_read_policy_for_bucket(),
    description="Grants Databricks metastore access to the root bucket",
)


aws.iam.Role(
    resource_name="Updating the Databricks metastore credentials 1",
    name="venkat-test-role",
    assume_role_policy=public_read_policy_for_bucket(role.arn),
    opts=pulumi.ResourceOptions( replace_on_changes=["*"], delete_before_replace=False),
)

The error i am getting the role is already exist

Open in Slack

Previous Next