[AWS] [Investigating] Self-assume role trust policy

databricks / terraform-databricks-sra

The Security Reference Architecture (SRA) implements typical security features as Terraform Templates that are deployed by most high-security organizations, and enforces controls for the largest risks that customers ask about most often.

Other

57 stars 27 forks source link

[AWS] [Investigating] Self-assume role trust policy #37

Closed JDBraun closed 6 months ago

JDBraun commented 6 months ago

https://github.com/databricks/terraform-databricks-sra/blob/45e5e50a81f2741b5407d37c6a74654db63472bc/aws/tf/modules/sra/databricks_account/uc_init/unity_catalog_creation.tf#L25

Verifying that this does in fact work given the change to self-assume IAM policies or if this needs to be changed

JDBraun commented 6 months ago

After testing - it seems like this will work if the assume role is in the trust policy and in the role policy, if you remove the latter then it will not work. So closing for now