Resources:
GlueCrawlerRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- glue.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /service-role/
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole'
Policies:
- PolicyName: GlueAccess
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: kmsKeyAccess
Effect: Allow
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
Resource: !Ref KmsKeyArn
- Sid: logKmsKey
Effect: Allow
Action:
- 'logs:AssociateKmsKey'
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws-glue/:*'
GlueCrawler:
Type: 'AWS::Glue::Crawler'
Properties:
Name: !Sub '${AWS::StackName}'
Role: !GetAtt GlueCrawlerRole.Arn
DatabaseName: !Sub '${AWS::StackName}-database'
Targets:
S3Targets:
- Path: !Ref MyS3Bucket
JdbcTargets:
-
ConnectionName: "XXXXXXX"
Path: "ABCD/%"
DatabaseName: "rds-xxxxx-abcd01-private-db"
SchemaChangePolicy:
UpdateBehavior: "UPDATE_IN_DATABASE"
DeleteBehavior: "DEPRECATE_IN_DATABASE"
TablePrefix: "aurora_rds_"
<> Service is unable to assume role arn:aws:iam::xxxxxxxxxx:role/cua-enterprise-data-hub-dev-test-g-GlueCrawlerRole-1FB4KV7YGL1QB. Please verify role's TrustPolicy (Service: AWSGlue; Status Code: 400; Error Code: InvalidInputException; Request ID: bb1b60a5-3301-40de-81bf-ea78018cffa9)
Your resources are incorrect . Instead of
Resource: 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws-glue/:*'
Resource: 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:*'
there should be ( missing !Sub
):
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws-glue/:*'
Resource: !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:*'
Service is unable to assume role arn:aws:iam::123412341234:role/ETL-ROLE-GLUE. Please verify role's TrustPolicy (Service: AWSGlue; Status Code: 400; Error Code: InvalidInputException; Request ID: 60245469-592f-4f41-9b91-1dc786a72e47; Proxy: null)
private createCrawlersAppFlow() {
// < snip >
const crawlerSet = this.createCrawler({
roleName: this.roleGlue.name, // <=== Note that we are using the role's name only
// < snip >>
prefix: this.prefix,
});
crawlerSet.crawler.node.addDependency(this.roleGlue.role); // <=== added in to force resource creation dependency
return crawlerSet;
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.