Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Create Glue Job Using CloudFormation Template

0

I am trying to create a Glue job by executing CloudFormation template. Below are the IAM policies details:

  • test_glue_role : (AmazonS3FullAccess,AWSCloudFormationFullAccess)
  • test_cloudformation_role : (AWSGlueConsoleFullAccess,AmazonS3FullAccess) template.yml file is uploaded to S3 bucket.

When I am trying to create the cloudformation stack, every time its throwing the below error: Error: User: arn:aws:sts::300800030007:assumed-role/test_cloudformation_role/AWSCloudFormation is not authorized to perform: iam:PassRole on resource: arn:aws:iam::300800030007:role/test_glue_role because no identity-based policy allows the iam:PassRole action (Service: AWSGlue; Status Code: 400; Error Code: AccessDeniedException; Request ID: 883499f2-71ce-4c71-a6d4-6bfe49f23dc3; Proxy: null)

How to resolve this issue?

Themen
Sicherheit, Identität & KonformitätManagement & UnternehmensführungAnalysen
Tags
AWS Identity and Access ManagementAWS CloudFormationAWS GlueIAM-Richtlinien
Sprache
English
Saptarsi Basu
gefragt vor einem Jahr523 Aufrufe
1 Antwort
1
Akzeptierte Antwort

Hi There

The role you are using for CloudFormation doesn't have the required permissions to assign the role to Glue. You have to add the iam:PassRole permission to the policy assigned to test_cloudformation_role to allow it to pass the test_glue_role.

example policy entry:

{
    "Action": [
        "iam:PassRole"
    ],
    "Resource": [
        "arn:aws:iam::123456789123:role/test_glue_role",
    ],
    "Effect": "Allow"
}

See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html for more info.

profile pictureAWS
EXPERTE
Matt-B
beantwortet vor einem Jahr
  • skinsman EXPERTE
    vor einem Jahr

    Also see a nice explanation of Passrole here - https://blog.rowanudell.com/iam-passrole-explained/

  • Saptarsi Basu
    vor einem Jahr

    Thank you! It is working now. Matt-B: I have a question, So whenever I want to create a glue job by executing CloudFormation template, I have add an inline policy for [iam:PassRole], with the CloudFormation role (test_cloudformation_role). Or is there any ready made policy which I can simply attach with my CloudFormation role.

  • Matt-B EXPERTE
    vor einem Jahr

    You can be as permissive as you want with the policies but its always recommended to stick with the principle of least-privilege. For example, in the resource block you could have "*" but that would allow the user to pass any role to the service. You might want to restrict which roles a certain user can pass. Suppose you have a set of Glue Roles "glue_role_1, glue_role_2, glue_role_3". You could use something like "arn:aws:iam::123456789123:role/glue_role_*" in the resource section to allow this user to pass any of those 3 roles.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt