Closed Mejato closed 3 years ago
There was an attempt to fix this very similar issue in https://github.com/aws/aws-cdk/pull/4915 , but it was rejected.
@rix0rrr , do you think stopgap solution in aforementioned PR can be reevaluated, given that now better design emerged since then?
@Mejato , does https://docs.aws.amazon.com/cdk/api/latest/python/aws_cdk.aws_iam/CompositePrincipal.html help you here?
@redbaron, yes thank you, it works perfectly fine here!
I'll close this issue as using the CompositePrincipal is the way to go here.
# This Class deploys the required Lake Formation roles
class LakeFormationRoles(core.Stack):
def __init__(self, scope: core.Construct, construct_id: str, glue_role_name: str, environment: str, aws_account_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
# Define Service Principals for definition of Composite Principal
aws_lake_formation_principal = iam.ServicePrincipal(service='lakeformation.amazonaws.com')
aws_glue_principal = iam.ServicePrincipal(service='glue.amazonaws.com')
# Define Lake Formation Roles
lake_formation_glue_role = iam.Role(self, id='lake-formation-glue-role',
assumed_by=iam.CompositePrincipal(aws_lake_formation_principal, aws_glue_principal),
description='This role is used by AWS Glue',
inline_policies={'KMS-CMK-Access': self.construct_glue_access_policy(),
'Lake-Formation-Access': self.construct_glue_lake_formation_access_policy(glue_role_name=glue_role_name,
aws_account_id=aws_account_id,
environment=environment)},
managed_policies=[iam.ManagedPolicy.from_aws_managed_policy_name('service-role/AWSGlueServiceRole'),
iam.ManagedPolicy.from_aws_managed_policy_name('AmazonS3FullAccess')],
role_name=glue_role_name.format(environment))
self.lake_formation_glue_role = ot_lake_formation_glue_role
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
The iam.Role construct does not accept a list e.g [aws_cdk.aws_iam.ServicePrincipal] parameter
Reproduction Steps
```python class LakeFormationRoles(core.Stack): def __init__(self, scope: core.Construct, construct_id: str, glue_role_name: str, environment: str, aws_account_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) # Define Lake Formation Roles lake_formation_glue_role = iam.Role(self, id='lake-formation-glue-role', assumed_by=iam.ServicePrincipal(service='lakeformation.amazonaws.com'), description='This role is used by AWS Glue', inline_policies={'KMS-CMK-Access': self.construct_glue_access_policy(), 'Lake-Formation-Access': self.construct_glue_lake_formation_access_policy(glue_role_name=glue_role_name, aws_account_id=aws_account_id, environment=environment)}, managed_policies=[iam.ManagedPolicy.from_aws_managed_policy_name('service-role/AWSGlueServiceRole'), iam.ManagedPolicy.from_aws_managed_policy_name('AmazonS3FullAccess')], role_name=glue_role_name.format(environment)) self.lake_formation_glue_role = lake_formation_glue_role ``` ### What did you expect to happen?I expect to have the ability to define multiple iam.ServicePrincipal's for the assumed-by parameter as I'm trying to achieve the following output while automating a Data Lake deployment using Lake Formation:
What actually happened?
Environment
Other
Refer to the following AWS Lake Formation Workshop CloudFormation template:
https://aws-data-analytics-workshops.s3.amazonaws.com/lake-formation-workshop/cfn/lf-workshop.template
Line 530 contains the AssumeRolePolicyDocument noted above, and the role is assumed by both Lake Formation (Permissions for Data locations) and a AWS glue job in order to successfully execute ETL jobs.
This is :bug: Bug Report