1 Answer
- Newest
- Most votes
- Most comments
2
Hi There
The role you are using for CloudFormation doesn't have the required permissions to assign the role to Glue. You have to add the iam:PassRole
permission to the policy assigned to test_cloudformation_role
to allow it to pass the test_glue_role
.
example policy entry:
{
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::123456789123:role/test_glue_role",
],
"Effect": "Allow"
}
See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html for more info.
Relevant content
- Accepted Answerasked 2 years ago
- asked 7 months ago
- asked 4 years ago
- AWS OFFICIALUpdated 11 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
Also see a nice explanation of Passrole here - https://blog.rowanudell.com/iam-passrole-explained/
Thank you! It is working now. Matt-B: I have a question, So whenever I want to create a glue job by executing CloudFormation template, I have add an inline policy for [iam:PassRole], with the CloudFormation role (test_cloudformation_role). Or is there any ready made policy which I can simply attach with my CloudFormation role.
You can be as permissive as you want with the policies but its always recommended to stick with the principle of least-privilege. For example, in the resource block you could have "*" but that would allow the user to pass any role to the service. You might want to restrict which roles a certain user can pass. Suppose you have a set of Glue Roles "glue_role_1, glue_role_2, glue_role_3". You could use something like
"arn:aws:iam::123456789123:role/glue_role_*"
in the resource section to allow this user to pass any of those 3 roles.