Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
i
icy-controller-6092
02/26/2023, 6:37 AMHow can I create a iam.Role that is self-assuming? the assumeRolePolicy would need to reference itself, which it cannot do
b
billowy-army-68599
02/26/2023, 5:02 PMcan you explain a little more what you’re trying to do? why do you need a role that is self assuming?
i
icy-controller-6092
02/26/2023, 11:58 PMHey there, I need to build a self-assuming role: https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/
This is to implement a role for databricks: https://docs.databricks.com/data-governance/unity-catalog/manage-external-locations-and-credentials.html (see the second bullet point under Step 1)
b
billowy-army-68599
02/27/2023, 12:01 AMyou’d need to create the role with an explicit name, you couldn’t reference it with a variable. Something like
const role = new aws.iam.Role("role", {
name: "myRole"
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Sid: "",
Effect: "Allow",
Principal: {
AWS: ""arn:aws:iam::123456789012:role/myRole""
},
Action: "sts:AssumeRole",
},
],
}),
managedPolicyArns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ],
});i
icy-controller-6092
02/27/2023, 12:02 AMAh okay, I was also thinking to maybe just put a wildcard where the pulumi-generated hash usually goes..
e.g.
new aws.iam.Role('xyz',…arn:aws:iam::123:role/xyz-*that way it would work across multiple environments (just, less securely hehe)
b
billowy-army-68599
02/27/2023, 12:03 AMthat might work, but ymmv
i
icy-controller-6092
02/27/2023, 2:35 AMyour suspicions were correct - it didn’t work 😔 because you can’t use partial wildcards in a principal ARN. I used your approach of statically naming the resource, but also appended
pulumi.getStack()that didn’t work either because the policy references the role before it exists… looking up some terraform posts and this is a very hard thing to do, I think in my case I’ll just comment out the role, run
upupb
billowy-army-68599
02/27/2023, 4:27 AMYou should be able to define the policy as a different role, use a waiter inside an apply to block the policy creation and then attach the policy via role policy attachment resource
i
icy-controller-6092
02/27/2023, 4:39 AMunfortunately this is for the
assumeRolePolicymore info here: https://github.com/hashicorp/terraform-provider-aws/issues/7922
b
billowy-army-68599
02/27/2023, 4:50 AMAh how funny
I guess you could create a cloudformation stack which creates an IAM role?