Home > Back-end >  Setting IAM Policy within Terraform
Setting IAM Policy within Terraform

Time:01-08

I am having troubles setting an IAM Policy following documentation on Terraform. While trying to assign a this policy to my S3 Bucket using this documentation from databricks

the following error is being returned Policy document should not specify a principal.

You may reproduce using the following code section

resource "aws_iam_policy" "databricks_bucket_policy" {
  name        = "databrick_bucket_policy"
  path        = "/"
  description = "A policy for Databricks S3 Bucket"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Principal" : {
          "AWS" : [
            "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
            "arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/<THIS_ROLE_NAME>"
          ]
        },
        "Action" : "sts:AssumeRole",
        "Condition" : {
          "StringEquals" : {
            "sts:ExternalId" : "<DATABRICKS_ACCOUNT_ID>"
          }
        }
      }
    ]
  })
}

I've tried following this terraform doc but it is not fully understood. I would appreciate if someone could clarify on how this can be done.

CodePudding user response:

You are trying to create an aws_iam_policy resource and assign it to an S3 bucket, but you can only assign an aws_s3_bucket_policy to a bucket. An IAM policy is assigned to users or roles, so you never specify a principal in an IAM policy because it is directly assigned to the principal it is applied to.

By contrast a resource policy, such as the S3 bucket policy, is assigned to a resource, and you specify the principals that you are granting or denying access to the resource.

Now, looking at the Databricks documentation, it appears what they are giving you in step 3 of the documentation is a trust relationship. Step 4 has the IAM policy. They are also instructing you to create an IAM Role, not an S3 bucket policy.

It appears that what you are being instructed to do is create an IAM role that Databricks can assume, that gives Databricks access to the S3 bucket in your account. You are not being instructed to create an S3 bucket policy at all.

Your Terraform should look like this:

resource "aws_iam_role" "databricks_role" {
  name = "databricks_role"

  assume_role_policy = jsonencode(
    # The JSON from Step 3 goes here
  )
}

resource "aws_iam_policy" "databricks_role_policy" {
  name        = "databrick_role_policy"
  path        = "/"
  description = "A policy for Databricks IAM Role"

  policy = jsonencode(
    # The JSON from Step 4 goes here
  )
}

resource "aws_iam_role_policy_attachment" "databricks_role" {
  role       = aws_iam_role.databricks_role.name
  policy_arn = aws_iam_policy.databricks_role_policy.arn
}

Page link:https//www.codepudding.com/Backend/666138.html

Prev:How to handle dialogs following the MVVM design pattern
Next:Getting Cloudwatch to send CreateLogGroup messages to EventBridge
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding