We provision our AWS Glue Crowler with Cloudformation and while doing so ran into a bug. When I create a DB Connection like this:
GlueConnectionPostgres:
Type: AWS::Glue::Connection
Properties:
CatalogId: !Ref AWS::AccountId
ConnectionInput:
Name: !Sub '${AWS::StackName}-${Environment}-connection'
Description: "Connection to database."
ConnectionType: "JDBC"
PhysicalConnectionRequirements:
SubnetId: !Ref DBSubnetId
SecurityGroupIdList:
- !Ref DBSecurityGroup
ConnectionProperties: {
"JDBC_CONNECTION_URL": !Ref JDBCConnectionString,
"JDBC_ENFORCE_SSL": "true",
"USERNAME": !Ref DBUsername,
"PASSWORD": !Ref DBPassword
}
The AWS Console shows the Glue connection and it has the property "Require SSL connection" set to true. When I then start a crowler using that connection, it ends with the following error:
ERROR : Crawler cannot be started. Verify the permissions in the policies attached to the IAM role defined in the crawler.
If I now go back to the Glue Connection -> click edit -> change "Require SSL connection" to "false" save it and then switch it back to true, my crawler works. When I delete my Cloudformation Stack and recreate it, I can reproduce that behavior. I guess that is a Bug.
P.S.: Tried it as boolean ("JDBC_ENFORCE_SSL": true
) as well, same effect.
Would switching to using Secret Managers be a more reliable way? https://docs.aws.amazon.com/glue/latest/dg/connection-properties-secrets-manager.html