This message was deleted.
# aws
s
This message was deleted.
b
can you explain a little more what you’re trying to do? why do you need a role that is self assuming?
i
This is to implement a role for databricks: https://docs.databricks.com/data-governance/unity-catalog/manage-external-locations-and-credentials.html (see the second bullet point under Step 1)
b
you’d need to create the role with an explicit name, you couldn’t reference it with a variable. Something like
Copy code
const role = new aws.iam.Role("role", {
  name: "myRole"
  assumeRolePolicy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Sid: "",
        Effect: "Allow",
        Principal: {
          AWS: ""arn:aws:iam::123456789012:role/myRole""
        },
        Action: "sts:AssumeRole",
      },
    ],
  }),
  managedPolicyArns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ],
});
i
Ah okay, I was also thinking to maybe just put a wildcard where the pulumi-generated hash usually goes.. e.g.
new aws.iam.Role('xyz',…
and then
arn:aws:iam::123:role/xyz-*
?
that way it would work across multiple environments (just, less securely hehe)
b
that might work, but ymmv
i
your suspicions were correct - it didn’t work 😔 because you can’t use partial wildcards in a principal ARN. I used your approach of statically naming the resource, but also appended
pulumi.getStack()
to the end of the name
👍 1
that didn’t work either because the policy references the role before it exists… looking up some terraform posts and this is a very hard thing to do, I think in my case I’ll just comment out the role, run
up
then uncomment and run
up
again
b
You should be able to define the policy as a different role, use a waiter inside an apply to block the policy creation and then attach the policy via role policy attachment resource
i
unfortunately this is for the
assumeRolePolicy
aka ‘trust relationships’ and I don’t think this type of policy supports lazy attachment (unlike inline/managed)
b
Ah how funny
I guess you could create a cloudformation stack which creates an IAM role?
h
@icy-controller-6092 are able to resolve this issue, i am facing it right now wondering whether you can share the steps to approach to solve it, Thanks
i
hi @hallowed-fireman-90476 - I don't have a nice solution sorry, I comment out the self-reference and do a deploy, and then comment it back in & do another deploy
h
Even that how you did because i cannot modify the existing role assume policy
Copy code
def public_read_policy_for_bucket(role_arn=None):
    if role_arn is None:
        return json.dumps(
            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"
                            ]
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {"StringEquals": {"sts:ExternalId": test}},
                    }
                ],
            }
        )
    else:
        return Output.json_dumps(
            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
                                Output.format(role_arn),
                            ]
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {"StringEquals": {"sts:ExternalId": test}},
                    }
                ],
            }
        )


role = aws.iam.Role(
    resource_name="Creating role for the Databricks metastore credentials",
    name="venkat-test-role",
    assume_role_policy=public_read_policy_for_bucket(),
    description="Grants Databricks metastore access to the root bucket",
)


aws.iam.Role(
    resource_name="Updating the Databricks metastore credentials 1",
    name="venkat-test-role",
    assume_role_policy=public_read_policy_for_bucket(role.arn),
    opts=pulumi.ResourceOptions( replace_on_changes=["*"], delete_before_replace=False),
)
The error i am getting the role is already exist