Skip to content

Commit

Permalink
Update UC example to allow role to assume-itself (databricks#118)
Browse files Browse the repository at this point in the history
* Update UC example to allow role to assume-itself

* Add role to trust policy

* Fix indentation

* Fixes

* More fixes

* Remove unnecesary permissions
  • Loading branch information
hectorcast-db authored Feb 8, 2024
1 parent fb433a0 commit 57e9a1b
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 4 deletions.
25 changes: 23 additions & 2 deletions examples/aws-databricks-uc/unity_catalog_infra.tf
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,20 @@ data "aws_iam_policy_document" "passrole_for_uc" {
values = [var.databricks_account_id]
}
}
statement {
sid = "ExplicitSelfRoleAssumption"
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
identifiers = ["arn:aws:iam::${var.aws_account_id}:root"]
type = "AWS"
}
condition {
test = "ArnEquals"
variable = "aws:PrincipalArn"
values = ["arn:aws:iam::${var.aws_account_id}:role/${local.prefix}-uc-access"]
}
}
}

resource "aws_iam_policy" "unity_metastore" {
Expand All @@ -44,9 +58,7 @@ resource "aws_iam_policy" "unity_metastore" {
{
"Action" : [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation"
Expand All @@ -56,6 +68,15 @@ resource "aws_iam_policy" "unity_metastore" {
"${aws_s3_bucket.metastore.arn}/*"
],
"Effect" : "Allow"
},
{
"Action" : [
"sts:AssumeRole"
],
"Resource" : [
"arn:aws:iam::${var.aws_account_id}:role/${local.prefix}-uc-access"
],
"Effect" : "Allow"
}
]
})
Expand Down
5 changes: 5 additions & 0 deletions examples/aws-databricks-uc/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,11 @@ variable "databricks_account_id" {
description = "Databricks Account ID"
}

variable "aws_account_id" {
type = string
description = "(Required) AWS account ID where the cross-account role for Unity Catalog will be created"
}

variable "region" {
type = string
description = "AWS region to deploy to"
Expand Down
11 changes: 9 additions & 2 deletions modules/aws-databricks-unity-catalog/uc_cross_account_role.tf
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,7 @@ resource "aws_iam_policy" "unity_metastore" {
{
"Action" : [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:ListBucket",
"s3:GetBucketLocation"
Expand All @@ -51,6 +49,15 @@ resource "aws_iam_policy" "unity_metastore" {
"${aws_s3_bucket.metastore.arn}/*"
],
"Effect" : "Allow"
},
{
"Action" : [
"sts:AssumeRole"
],
"Resource" : [
"arn:aws:iam::${var.aws_account_id}:role/${var.prefix}-uc-access"
],
"Effect" : "Allow"
}
]
})
Expand Down

0 comments on commit 57e9a1b

Please sign in to comment.