This message was deleted.

sparse-intern-71089

02/26/2023, 6:37 AM

This message was deleted.

billowy-army-68599

02/26/2023, 5:02 PM

can you explain a little more what you’re trying to do? why do you need a role that is self assuming?

icy-controller-6092

02/26/2023, 11:58 PM

Hey there, I need to build a self-assuming role: https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior/

icy-controller-6092

02/26/2023, 11:59 PM

This is to implement a role for databricks: https://docs.databricks.com/data-governance/unity-catalog/manage-external-locations-and-credentials.html (see the second bullet point under Step 1)

billowy-army-68599

02/27/2023, 12:01 AM

you’d need to create the role with an explicit name, you couldn’t reference it with a variable. Something like

Copy code

const role = new aws.iam.Role("role", {
  name: "myRole"
  assumeRolePolicy: JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Sid: "",
        Effect: "Allow",
        Principal: {
          AWS: ""arn:aws:iam::123456789012:role/myRole""
        },
        Action: "sts:AssumeRole",
      },
    ],
  }),
  managedPolicyArns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ],
});

icy-controller-6092

02/27/2023, 12:02 AM

Ah okay, I was also thinking to maybe just put a wildcard where the pulumi-generated hash usually goes.. e.g.

new aws.iam.Role('xyz',…

and then

arn:aws:iam::123:role/xyz-*

icy-controller-6092

02/27/2023, 12:03 AM

that way it would work across multiple environments (just, less securely hehe)

billowy-army-68599

02/27/2023, 12:03 AM

that might work, but ymmv

icy-controller-6092

02/27/2023, 2:35 AM

your suspicions were correct - it didn’t work 😔 because you can’t use partial wildcards in a principal ARN. I used your approach of statically naming the resource, but also appended

pulumi.getStack()

to the end of the name

👍 1

icy-controller-6092

02/27/2023, 3:59 AM

that didn’t work either because the policy references the role before it exists… looking up some terraform posts and this is a very hard thing to do, I think in my case I’ll just comment out the role, run

up

then uncomment and run

up

again

billowy-army-68599

02/27/2023, 4:27 AM

You should be able to define the policy as a different role, use a waiter inside an apply to block the policy creation and then attach the policy via role policy attachment resource

icy-controller-6092

02/27/2023, 4:39 AM

unfortunately this is for the

assumeRolePolicy

aka ‘trust relationships’ and I don’t think this type of policy supports lazy attachment (unlike inline/managed)

icy-controller-6092

02/27/2023, 4:42 AM

more info here: https://github.com/hashicorp/terraform-provider-aws/issues/7922

billowy-army-68599

02/27/2023, 4:50 AM

Ah how funny

billowy-army-68599

02/27/2023, 4:50 AM

I guess you could create a cloudformation stack which creates an IAM role?

hallowed-fireman-90476

04/10/2024, 10:43 AM

@icy-controller-6092 are able to resolve this issue, i am facing it right now wondering whether you can share the steps to approach to solve it, Thanks

icy-controller-6092

04/10/2024, 12:22 PM

hi @hallowed-fireman-90476 - I don't have a nice solution sorry, I comment out the self-reference and do a deploy, and then comment it back in & do another deploy

hallowed-fireman-90476

04/10/2024, 1:31 PM

Even that how you did because i cannot modify the existing role assume policy

hallowed-fireman-90476

04/10/2024, 1:32 PM

Copy code

def public_read_policy_for_bucket(role_arn=None):
    if role_arn is None:
        return json.dumps(
            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"
                            ]
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {"StringEquals": {"sts:ExternalId": test}},
                    }
                ],
            }
        )
    else:
        return Output.json_dumps(
            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "AWS": [
                                "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
                                Output.format(role_arn),
                            ]
                        },
                        "Action": "sts:AssumeRole",
                        "Condition": {"StringEquals": {"sts:ExternalId": test}},
                    }
                ],
            }
        )


role = aws.iam.Role(
    resource_name="Creating role for the Databricks metastore credentials",
    name="venkat-test-role",
    assume_role_policy=public_read_policy_for_bucket(),
    description="Grants Databricks metastore access to the root bucket",
)


aws.iam.Role(
    resource_name="Updating the Databricks metastore credentials 1",
    name="venkat-test-role",
    assume_role_policy=public_read_policy_for_bucket(role.arn),
    opts=pulumi.ResourceOptions( replace_on_changes=["*"], delete_before_replace=False),
)

The error i am getting the role is already exist

Open in Slack

Previous Next

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.