Create Glue Job Using CloudFormation Template

0

I am trying to create a Glue job by executing CloudFormation template. Below are the IAM policies details:

  • test_glue_role : (AmazonS3FullAccess,AWSCloudFormationFullAccess)
  • test_cloudformation_role : (AWSGlueConsoleFullAccess,AmazonS3FullAccess) template.yml file is uploaded to S3 bucket.

When I am trying to create the cloudformation stack, every time its throwing the below error: Error: User: arn:aws:sts::300800030007:assumed-role/test_cloudformation_role/AWSCloudFormation is not authorized to perform: iam:PassRole on resource: arn:aws:iam::300800030007:role/test_glue_role because no identity-based policy allows the iam:PassRole action (Service: AWSGlue; Status Code: 400; Error Code: AccessDeniedException; Request ID: 883499f2-71ce-4c71-a6d4-6bfe49f23dc3; Proxy: null)

How to resolve this issue?

1 Resposta
2
Resposta aceita

Hi There

The role you are using for CloudFormation doesn't have the required permissions to assign the role to Glue. You have to add the iam:PassRole permission to the policy assigned to test_cloudformation_role to allow it to pass the test_glue_role.

example policy entry:

{
    "Action": [
        "iam:PassRole"
    ],
    "Resource": [
        "arn:aws:iam::123456789123:role/test_glue_role",
    ],
    "Effect": "Allow"
}

See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html for more info.

profile pictureAWS
ESPECIALISTA
respondido há 2 anos
profile picture
ESPECIALISTA
avaliado há 6 meses
  • Also see a nice explanation of Passrole here - https://blog.rowanudell.com/iam-passrole-explained/

  • Thank you! It is working now. Matt-B: I have a question, So whenever I want to create a glue job by executing CloudFormation template, I have add an inline policy for [iam:PassRole], with the CloudFormation role (test_cloudformation_role). Or is there any ready made policy which I can simply attach with my CloudFormation role.

  • You can be as permissive as you want with the policies but its always recommended to stick with the principle of least-privilege. For example, in the resource block you could have "*" but that would allow the user to pass any role to the service. You might want to restrict which roles a certain user can pass. Suppose you have a set of Glue Roles "glue_role_1, glue_role_2, glue_role_3". You could use something like "arn:aws:iam::123456789123:role/glue_role_*" in the resource section to allow this user to pass any of those 3 roles.

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas