A problem has occurred during connection: Unable to assume role 'arn:aws:iam::<account_id>:role/<my_role>'

0

Hello I've been trying to set up DataZone (BluePrint is Default Data Lake). When I try to open data portal with IAM Role I received following message : A problem has occurred during connection: Unable to assume role 'arn:aws:iam::<account_id>:role/<my_role>'

I didn't find how to configure correctly ExecutionRole' policy.

  Policies:
    - PolicyName: DataLakeAccessPolicy
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action:
              - kms:*
            Resource: !GetAtt KmsStack.Outputs.EncryptionKeyArn
          - Effect: Allow
            Action:
            - datazone:ListDomains
            - datazone:ListEnvironmentBlueprintConfigurations
            - datazone:PutEnvironmentBlueprintConfiguration
            - datazone:GetDomain
            - datazone:ListDomains
            - datazone:GetEnvironmentBlueprintConfiguration
            - datazone:ListEnvironmentBlueprints
            - datazone:GetEnvironmentBlueprint
            - datazone:ListAccountEnvironments
            - datazone:DeleteEnvironmentBlueprintConfiguration
            - datazone:GetIamPortalLoginUrl  # access to portal
            - ram:*
            - sso:*              
            Resource: '*'                
  ManagedPolicyArns:
    - arn:aws:iam::aws:policy/service-role/AmazonDataZoneDomainExecutionRolePolicy
    - arn:aws:iam::aws:policy/AmazonDataZoneRedshiftGlueProvisioningPolicy
    - arn:aws:iam::aws:policy/AmazonAthenaFullAccess
    - arn:aws:iam::aws:policy/AmazonS3FullAccess

Thanks.

I check these posts:

asked 3 months ago110 views
1 Answer
0
Accepted Answer

Hello, Thank you for sending your Question regarding Execution Role policy configuration for your Data Zone. To assume a role, you need to follow the following steps:

  1. Create an IAM Role: First, you need to create an IAM role that defines the permissions and trust relationship for the role. You can do this in the AWS Management Console, AWS CLI, or through AWS CloudFormation. Refer to DataZone custom policy.
  2. Grant Trust Relationship: When creating the role, you need to specify a trust relationship that defines which AWS accounts, services, or identities are allowed to assume the role.
  3. Define Permissions: Attach one or more IAM policies to the role to grant the desired permissions. These policies define what actions and resources the role can access. Kindly refer also to Assume IAM Role for more information. For more clarifications on DataZone IAM Policies, please also go through DataZone IAM policies. I hope you find this information helpful. Good day!
AWS
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions