I'm trying to create an AWS Glue Role run the service properly. I want to use the AWS Managed role AWSGlueServiceRole using the following code:
import json
from pulumi_aws import iam
from pulumi_aws.iam import Role
def get_access_bucket_role(role_name: str, bucket_name: str, tags) -> Role:
assume_role_policy = json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": ["glue.amazonaws.com"]},
"Action": "sts:AssumeRole",
}
],
}
)
iam.get_policy
return iam.Role(
role_name,
assume_role_policy=assume_role_policy,
inline_policies=iam.get_policy(arn="arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"),
path="/my-path/",
permissions_boundary="arn:aws:iam::XXX:policy/my-boundary",
tags=tags,
)
However I'm getting the following error when the code try to get iam.get_policy() function:
AttributeError: 'NoneType' object has no attribute 'Invoke'
Am I missing something? How to create this policy properly?
You can't attach a managed policy as an inline policy. Also inline_policies is expecting only a name and json formatted policy:
https://www.pulumi.com/registry/packages/aws/api-docs/iam/role/#supporting-types
get_policy is returning a pulumi object with a number of other properties:
https://www.pulumi.com/registry/packages/aws/api-docs/iam/getpolicy/#result
The path of least resistance here is to attach AWSGlueServiceRole to your role as a managed policy e.g:
aws.iam.RolePolicyAttachment("PolicyAttachment",
role=YourRole.name,
policy_arn="arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole",
)