Create Glue Job Using CloudFormation Template

0

I am trying to create a Glue job by executing CloudFormation template. Below are the IAM policies details:

  • test_glue_role : (AmazonS3FullAccess,AWSCloudFormationFullAccess)
  • test_cloudformation_role : (AWSGlueConsoleFullAccess,AmazonS3FullAccess) template.yml file is uploaded to S3 bucket.

When I am trying to create the cloudformation stack, every time its throwing the below error: Error: User: arn:aws:sts::300800030007:assumed-role/test_cloudformation_role/AWSCloudFormation is not authorized to perform: iam:PassRole on resource: arn:aws:iam::300800030007:role/test_glue_role because no identity-based policy allows the iam:PassRole action (Service: AWSGlue; Status Code: 400; Error Code: AccessDeniedException; Request ID: 883499f2-71ce-4c71-a6d4-6bfe49f23dc3; Proxy: null)

How to resolve this issue?

1 Answer
2
Accepted Answer

Hi There

The role you are using for CloudFormation doesn't have the required permissions to assign the role to Glue. You have to add the iam:PassRole permission to the policy assigned to test_cloudformation_role to allow it to pass the test_glue_role.

example policy entry:

{
    "Action": [
        "iam:PassRole"
    ],
    "Resource": [
        "arn:aws:iam::123456789123:role/test_glue_role",
    ],
    "Effect": "Allow"
}

See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html for more info.

profile pictureAWS
EXPERT
Matt-B
answered 2 years ago
profile picture
EXPERT
reviewed 4 months ago
  • Also see a nice explanation of Passrole here - https://blog.rowanudell.com/iam-passrole-explained/

  • Thank you! It is working now. Matt-B: I have a question, So whenever I want to create a glue job by executing CloudFormation template, I have add an inline policy for [iam:PassRole], with the CloudFormation role (test_cloudformation_role). Or is there any ready made policy which I can simply attach with my CloudFormation role.

  • You can be as permissive as you want with the policies but its always recommended to stick with the principle of least-privilege. For example, in the resource block you could have "*" but that would allow the user to pass any role to the service. You might want to restrict which roles a certain user can pass. Suppose you have a set of Glue Roles "glue_role_1, glue_role_2, glue_role_3". You could use something like "arn:aws:iam::123456789123:role/glue_role_*" in the resource section to allow this user to pass any of those 3 roles.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions