Docs
PackagesDatabricks v1.23.0 published on Wednesday, Sep 20, 2023 by Pulumi
databricks.getAwsAssumeRolePolicy
Explore with Pulumi AI
This data source constructs necessary AWS STS assume role policy for you.
Related Resources
The following resources are used in the same context:
- Provisioning AWS Databricks E2 with a Hub & Spoke firewall for data exfiltration protection guide
- databricks.getAwsBucketPolicy data to configure a simple access policy for AWS S3 buckets, so that Databricks can access data in it.
- databricks.getAwsCrossAccountPolicy data to construct the necessary AWS cross-account policy for you, which is based on official documentation.
Example Usage
End-to-end example of provisioning Cross-account IAM role with databricks_
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var config = new Config();
var databricksAccountId = config.RequireObject<dynamic>("databricksAccountId");
var thisAwsCrossAccountPolicy = Databricks.GetAwsCrossAccountPolicy.Invoke();
var crossAccountPolicy = new Aws.Iam.Policy("crossAccountPolicy", new()
{
PolicyDocument = thisAwsCrossAccountPolicy.Apply(getAwsCrossAccountPolicyResult => getAwsCrossAccountPolicyResult.Json),
});
var thisAwsAssumeRolePolicy = Databricks.GetAwsAssumeRolePolicy.Invoke(new()
{
ExternalId = databricksAccountId,
});
var crossAccountRole = new Aws.Iam.Role("crossAccountRole", new()
{
AssumeRolePolicy = thisAwsAssumeRolePolicy.Apply(getAwsAssumeRolePolicyResult => getAwsAssumeRolePolicyResult.Json),
Description = "Grants Databricks full access to VPC resources",
});
var crossAccountRolePolicyAttachment = new Aws.Iam.RolePolicyAttachment("crossAccountRolePolicyAttachment", new()
{
PolicyArn = crossAccountPolicy.Arn,
Role = crossAccountRole.Name,
});
// required only in case of multi-workspace setup
var thisMwsCredentials = new Databricks.MwsCredentials("thisMwsCredentials", new()
{
AccountId = databricksAccountId,
CredentialsName = $"{@var.Prefix}-creds",
RoleArn = crossAccountRole.Arn,
}, new CustomResourceOptions
{
Provider = databricks.Mws,
});
});
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cfg := config.New(ctx, "")
databricksAccountId := cfg.RequireObject("databricksAccountId")
thisAwsCrossAccountPolicy, err := databricks.GetAwsCrossAccountPolicy(ctx, nil, nil)
if err != nil {
return err
}
crossAccountPolicy, err := iam.NewPolicy(ctx, "crossAccountPolicy", &iam.PolicyArgs{
Policy: *pulumi.String(thisAwsCrossAccountPolicy.Json),
})
if err != nil {
return err
}
thisAwsAssumeRolePolicy, err := databricks.GetAwsAssumeRolePolicy(ctx, &databricks.GetAwsAssumeRolePolicyArgs{
ExternalId: databricksAccountId,
}, nil)
if err != nil {
return err
}
crossAccountRole, err := iam.NewRole(ctx, "crossAccountRole", &iam.RoleArgs{
AssumeRolePolicy: *pulumi.String(thisAwsAssumeRolePolicy.Json),
Description: pulumi.String("Grants Databricks full access to VPC resources"),
})
if err != nil {
return err
}
_, err = iam.NewRolePolicyAttachment(ctx, "crossAccountRolePolicyAttachment", &iam.RolePolicyAttachmentArgs{
PolicyArn: crossAccountPolicy.Arn,
Role: crossAccountRole.Name,
})
if err != nil {
return err
}
_, err = databricks.NewMwsCredentials(ctx, "thisMwsCredentials", &databricks.MwsCredentialsArgs{
AccountId: pulumi.Any(databricksAccountId),
CredentialsName: pulumi.String(fmt.Sprintf("%v-creds", _var.Prefix)),
RoleArn: crossAccountRole.Arn,
}, pulumi.Provider(databricks.Mws))
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetAwsCrossAccountPolicyArgs;
import com.pulumi.aws.iam.Policy;
import com.pulumi.aws.iam.PolicyArgs;
import com.pulumi.databricks.inputs.GetAwsAssumeRolePolicyArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.RolePolicyAttachment;
import com.pulumi.aws.iam.RolePolicyAttachmentArgs;
import com.pulumi.databricks.MwsCredentials;
import com.pulumi.databricks.MwsCredentialsArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var config = ctx.config();
final var databricksAccountId = config.get("databricksAccountId");
final var thisAwsCrossAccountPolicy = DatabricksFunctions.getAwsCrossAccountPolicy();
var crossAccountPolicy = new Policy("crossAccountPolicy", PolicyArgs.builder()
.policy(thisAwsCrossAccountPolicy.applyValue(getAwsCrossAccountPolicyResult -> getAwsCrossAccountPolicyResult.json()))
.build());
final var thisAwsAssumeRolePolicy = DatabricksFunctions.getAwsAssumeRolePolicy(GetAwsAssumeRolePolicyArgs.builder()
.externalId(databricksAccountId)
.build());
var crossAccountRole = new Role("crossAccountRole", RoleArgs.builder()
.assumeRolePolicy(thisAwsAssumeRolePolicy.applyValue(getAwsAssumeRolePolicyResult -> getAwsAssumeRolePolicyResult.json()))
.description("Grants Databricks full access to VPC resources")
.build());
var crossAccountRolePolicyAttachment = new RolePolicyAttachment("crossAccountRolePolicyAttachment", RolePolicyAttachmentArgs.builder()
.policyArn(crossAccountPolicy.arn())
.role(crossAccountRole.name())
.build());
var thisMwsCredentials = new MwsCredentials("thisMwsCredentials", MwsCredentialsArgs.builder()
.accountId(databricksAccountId)
.credentialsName(String.format("%s-creds", var_.prefix()))
.roleArn(crossAccountRole.arn())
.build(), CustomResourceOptions.builder()
.provider(databricks.mws())
.build());
}
}
import pulumi
import pulumi_aws as aws
import pulumi_databricks as databricks
config = pulumi.Config()
databricks_account_id = config.require_object("databricksAccountId")
this_aws_cross_account_policy = databricks.get_aws_cross_account_policy()
cross_account_policy = aws.iam.Policy("crossAccountPolicy", policy=this_aws_cross_account_policy.json)
this_aws_assume_role_policy = databricks.get_aws_assume_role_policy(external_id=databricks_account_id)
cross_account_role = aws.iam.Role("crossAccountRole",
assume_role_policy=this_aws_assume_role_policy.json,
description="Grants Databricks full access to VPC resources")
cross_account_role_policy_attachment = aws.iam.RolePolicyAttachment("crossAccountRolePolicyAttachment",
policy_arn=cross_account_policy.arn,
role=cross_account_role.name)
# required only in case of multi-workspace setup
this_mws_credentials = databricks.MwsCredentials("thisMwsCredentials",
account_id=databricks_account_id,
credentials_name=f"{var['prefix']}-creds",
role_arn=cross_account_role.arn,
opts=pulumi.ResourceOptions(provider=databricks["mws"]))
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as databricks from "@pulumi/databricks";
const config = new pulumi.Config();
const databricksAccountId = config.requireObject("databricksAccountId");
const thisAwsCrossAccountPolicy = databricks.getAwsCrossAccountPolicy({});
const crossAccountPolicy = new aws.iam.Policy("crossAccountPolicy", {policy: thisAwsCrossAccountPolicy.then(thisAwsCrossAccountPolicy => thisAwsCrossAccountPolicy.json)});
const thisAwsAssumeRolePolicy = databricks.getAwsAssumeRolePolicy({
externalId: databricksAccountId,
});
const crossAccountRole = new aws.iam.Role("crossAccountRole", {
assumeRolePolicy: thisAwsAssumeRolePolicy.then(thisAwsAssumeRolePolicy => thisAwsAssumeRolePolicy.json),
description: "Grants Databricks full access to VPC resources",
});
const crossAccountRolePolicyAttachment = new aws.iam.RolePolicyAttachment("crossAccountRolePolicyAttachment", {
policyArn: crossAccountPolicy.arn,
role: crossAccountRole.name,
});
// required only in case of multi-workspace setup
const thisMwsCredentials = new databricks.MwsCredentials("thisMwsCredentials", {
accountId: databricksAccountId,
credentialsName: `${_var.prefix}-creds`,
roleArn: crossAccountRole.arn,
}, {
provider: databricks.mws,
});
configuration:
databricksAccountId:
type: dynamic
resources:
crossAccountPolicy:
type: aws:iam:Policy
properties:
policy: ${thisAwsCrossAccountPolicy.json}
crossAccountRole:
type: aws:iam:Role
properties:
assumeRolePolicy: ${thisAwsAssumeRolePolicy.json}
description: Grants Databricks full access to VPC resources
crossAccountRolePolicyAttachment:
type: aws:iam:RolePolicyAttachment
properties:
policyArn: ${crossAccountPolicy.arn}
role: ${crossAccountRole.name}
# required only in case of multi-workspace setup
thisMwsCredentials:
type: databricks:MwsCredentials
properties:
accountId: ${databricksAccountId}
credentialsName: ${var.prefix}-creds
roleArn: ${crossAccountRole.arn}
options:
provider: ${databricks.mws}
variables:
thisAwsCrossAccountPolicy:
fn::invoke:
Function: databricks:getAwsCrossAccountPolicy
Arguments: {}
thisAwsAssumeRolePolicy:
fn::invoke:
Function: databricks:getAwsAssumeRolePolicy
Arguments:
externalId: ${databricksAccountId}
Using getAwsAssumeRolePolicy
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getAwsAssumeRolePolicy(args: GetAwsAssumeRolePolicyArgs, opts?: InvokeOptions): Promise<GetAwsAssumeRolePolicyResult>
function getAwsAssumeRolePolicyOutput(args: GetAwsAssumeRolePolicyOutputArgs, opts?: InvokeOptions): Output<GetAwsAssumeRolePolicyResult>def get_aws_assume_role_policy(databricks_account_id: Optional[str] = None,
external_id: Optional[str] = None,
for_log_delivery: Optional[bool] = None,
opts: Optional[InvokeOptions] = None) -> GetAwsAssumeRolePolicyResult
def get_aws_assume_role_policy_output(databricks_account_id: Optional[pulumi.Input[str]] = None,
external_id: Optional[pulumi.Input[str]] = None,
for_log_delivery: Optional[pulumi.Input[bool]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetAwsAssumeRolePolicyResult]func GetAwsAssumeRolePolicy(ctx *Context, args *GetAwsAssumeRolePolicyArgs, opts ...InvokeOption) (*GetAwsAssumeRolePolicyResult, error)
func GetAwsAssumeRolePolicyOutput(ctx *Context, args *GetAwsAssumeRolePolicyOutputArgs, opts ...InvokeOption) GetAwsAssumeRolePolicyResultOutput> Note: This function is named GetAwsAssumeRolePolicy in the Go SDK.
public static class GetAwsAssumeRolePolicy
{
public static Task<GetAwsAssumeRolePolicyResult> InvokeAsync(GetAwsAssumeRolePolicyArgs args, InvokeOptions? opts = null)
public static Output<GetAwsAssumeRolePolicyResult> Invoke(GetAwsAssumeRolePolicyInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetAwsAssumeRolePolicyResult> getAwsAssumeRolePolicy(GetAwsAssumeRolePolicyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: databricks:index/getAwsAssumeRolePolicy:getAwsAssumeRolePolicy
arguments:
# arguments dictionaryThe following arguments are supported:
- External
Id string Account Id that could be found in the bottom left corner of Accounts Console.
- Databricks
Account stringId - For
Log boolDelivery Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- External
Id string Account Id that could be found in the bottom left corner of Accounts Console.
- Databricks
Account stringId - For
Log boolDelivery Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- external
Id String Account Id that could be found in the bottom left corner of Accounts Console.
- databricks
Account StringId - for
Log BooleanDelivery Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- external
Id string Account Id that could be found in the bottom left corner of Accounts Console.
- databricks
Account stringId - for
Log booleanDelivery Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- external_
id str Account Id that could be found in the bottom left corner of Accounts Console.
- databricks_
account_ strid - for_
log_ booldelivery Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- external
Id String Account Id that could be found in the bottom left corner of Accounts Console.
- databricks
Account StringId - for
Log BooleanDelivery Either or not this assume role policy should be created for usage log delivery. Defaults to false.
getAwsAssumeRolePolicy Result
The following output properties are available:
- External
Id string - Id string
The provider-assigned unique ID for this managed resource.
- Json string
AWS IAM Policy JSON document
- Databricks
Account stringId - For
Log boolDelivery
- External
Id string - Id string
The provider-assigned unique ID for this managed resource.
- Json string
AWS IAM Policy JSON document
- Databricks
Account stringId - For
Log boolDelivery
- external
Id String - id String
The provider-assigned unique ID for this managed resource.
- json String
AWS IAM Policy JSON document
- databricks
Account StringId - for
Log BooleanDelivery
- external
Id string - id string
The provider-assigned unique ID for this managed resource.
- json string
AWS IAM Policy JSON document
- databricks
Account stringId - for
Log booleanDelivery
- external_
id str - id str
The provider-assigned unique ID for this managed resource.
- json str
AWS IAM Policy JSON document
- databricks_
account_ strid - for_
log_ booldelivery
- external
Id String - id String
The provider-assigned unique ID for this managed resource.
- json String
AWS IAM Policy JSON document
- databricks
Account StringId - for
Log BooleanDelivery
Package Details
- Repository
- databricks pulumi/pulumi-databricks
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
databricksTerraform Provider.