Service is unable to assume a role error - AWS Glue cloudformation creation with JDBC target
Question
Resources:
GlueCrawlerRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- glue.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /service-role/
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole'
Policies:
- PolicyName: GlueAccess
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: kmsKeyAccess
Effect: Allow
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
Resource: !Ref KmsKeyArn
- Sid: logKmsKey
Effect: Allow
Action:
- 'logs:AssociateKmsKey'
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws-glue/:*'
GlueCrawler:
Type: 'AWS::Glue::Crawler'
Properties:
Name: !Sub '${AWS::StackName}'
Role: !GetAtt GlueCrawlerRole.Arn
DatabaseName: !Sub '${AWS::StackName}-database'
Targets:
S3Targets:
- Path: !Ref MyS3Bucket
JdbcTargets:
-
ConnectionName: "XXXXXXX"
Path: "ABCD/%"
DatabaseName: "rds-xxxxx-abcd01-private-db"
SchemaChangePolicy:
UpdateBehavior: "UPDATE_IN_DATABASE"
DeleteBehavior: "DEPRECATE_IN_DATABASE"
TablePrefix: "aurora_rds_"
<> Service is unable to assume role arn:aws:iam::xxxxxxxxxx:role/cua-enterprise-data-hub-dev-test-g-GlueCrawlerRole-1FB4KV7YGL1QB. Please verify role's TrustPolicy (Service: AWSGlue; Status Code: 400; Error Code: InvalidInputException; Request ID: bb1b60a5-3301-40de-81bf-ea78018cffa9)
2 answers
solution1
0 2021-02-15 00:52:50
Your resources are incorrect . Instead of
Resource: 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws-glue/:*'
Resource: 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:*'
there should be ( missing !Sub ):
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws-glue/:*'
Resource: !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:*'
solution2
0 2022-12-15 14:19:43
Summary
- Add dependency to the resource and the role.
- The resource should depend on the role.
Background
- I had a similar problem. This is my error message in the CloudFormation.
Service is unable to assume role arn:aws:iam::123412341234:role/ETL-ROLE-GLUE. Please verify role's TrustPolicy (Service: AWSGlue; Status Code: 400; Error Code: InvalidInputException; Request ID: 60245469-592f-4f41-9b91-1dc786a72e47; Proxy: null)
- I realized that the role may not be created when the crawler is made. So, this is my CDK code change I made.
private createCrawlersAppFlow() {
// < snip >
const crawlerSet = this.createCrawler({
roleName: this.roleGlue.name, // <=== Note that we are using the role's name only
// < snip >>
prefix: this.prefix,
});
crawlerSet.crawler.node.addDependency(this.roleGlue.role); // <=== added in to force resource creation dependency
return crawlerSet;
}
- Then the problem is gone. You might want to add CloudFormation level resource dependency .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
AWS GraphQL Appsync - unable to assume role
AWS Assume Role STS
aws glue cloudformation parquet job
Unable to assume role and validate the specified targetGroupArn. Please verify that the ECS service role being passed has the proper permissions
AWS: STS Assume Role not working for user
AWS sts assume role in one command
Creating a function to assume an AWS STS role in PowerShell $PROFILE
What happens when glueContext.write_dynamic_frame.from_jdbc_conf in AWS glue ETL job returns an error?
AWS Glue Crawler - Crawl new folders only - Internal Service Exception
AWS Glue Bookmarks
Related Tags