databricks.getAwsAssumeRolePolicy
Explore with Pulumi AI
This data source constructs necessary AWS STS assume role policy for you.
Related Resources
The following resources are used in the same context:
- Provisioning AWS Databricks E2 with a Hub & Spoke firewall for data exfiltration protection guide
- databricks.getAwsBucketPolicy data to configure a simple access policy for AWS S3 buckets, so that Databricks can access data in it.
- databricks.getAwsCrossAccountPolicy data to construct the necessary AWS cross-account policy for you, which is based on official documentation.
Example Usage
End-to-end example of provisioning Cross-account IAM role with databricks_
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var config = new Config();
var databricksAccountId = config.RequireObject<dynamic>("databricksAccountId");
var thisAwsCrossAccountPolicy = Databricks.GetAwsCrossAccountPolicy.Invoke();
var crossAccountPolicy = new Aws.Iam.Policy("crossAccountPolicy", new()
{
PolicyDocument = thisAwsCrossAccountPolicy.Apply(getAwsCrossAccountPolicyResult => getAwsCrossAccountPolicyResult.Json),
});
var thisAwsAssumeRolePolicy = Databricks.GetAwsAssumeRolePolicy.Invoke(new()
{
ExternalId = databricksAccountId,
});
var crossAccountRole = new Aws.Iam.Role("crossAccountRole", new()
{
AssumeRolePolicy = thisAwsAssumeRolePolicy.Apply(getAwsAssumeRolePolicyResult => getAwsAssumeRolePolicyResult.Json),
Description = "Grants Databricks full access to VPC resources",
});
var crossAccountRolePolicyAttachment = new Aws.Iam.RolePolicyAttachment("crossAccountRolePolicyAttachment", new()
{
PolicyArn = crossAccountPolicy.Arn,
Role = crossAccountRole.Name,
});
// required only in case of multi-workspace setup
var thisMwsCredentials = new Databricks.MwsCredentials("thisMwsCredentials", new()
{
AccountId = databricksAccountId,
CredentialsName = $"{@var.Prefix}-creds",
RoleArn = crossAccountRole.Arn,
}, new CustomResourceOptions
{
Provider = databricks.Mws,
});
});
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cfg := config.New(ctx, "")
databricksAccountId := cfg.RequireObject("databricksAccountId")
thisAwsCrossAccountPolicy, err := databricks.GetAwsCrossAccountPolicy(ctx, nil, nil)
if err != nil {
return err
}
crossAccountPolicy, err := iam.NewPolicy(ctx, "crossAccountPolicy", &iam.PolicyArgs{
Policy: *pulumi.String(thisAwsCrossAccountPolicy.Json),
})
if err != nil {
return err
}
thisAwsAssumeRolePolicy, err := databricks.GetAwsAssumeRolePolicy(ctx, &databricks.GetAwsAssumeRolePolicyArgs{
ExternalId: databricksAccountId,
}, nil)
if err != nil {
return err
}
crossAccountRole, err := iam.NewRole(ctx, "crossAccountRole", &iam.RoleArgs{
AssumeRolePolicy: *pulumi.String(thisAwsAssumeRolePolicy.Json),
Description: pulumi.String("Grants Databricks full access to VPC resources"),
})
if err != nil {
return err
}
_, err = iam.NewRolePolicyAttachment(ctx, "crossAccountRolePolicyAttachment", &iam.RolePolicyAttachmentArgs{
PolicyArn: crossAccountPolicy.Arn,
Role: crossAccountRole.Name,
})
if err != nil {
return err
}
_, err = databricks.NewMwsCredentials(ctx, "thisMwsCredentials", &databricks.MwsCredentialsArgs{
AccountId: pulumi.Any(databricksAccountId),
CredentialsName: pulumi.String(fmt.Sprintf("%v-creds", _var.Prefix)),
RoleArn: crossAccountRole.Arn,
}, pulumi.Provider(databricks.Mws))
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetAwsCrossAccountPolicyArgs;
import com.pulumi.aws.iam.Policy;
import com.pulumi.aws.iam.PolicyArgs;
import com.pulumi.databricks.inputs.GetAwsAssumeRolePolicyArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.RolePolicyAttachment;
import com.pulumi.aws.iam.RolePolicyAttachmentArgs;
import com.pulumi.databricks.MwsCredentials;
import com.pulumi.databricks.MwsCredentialsArgs;
import com.pulumi.resources.CustomResourceOptions;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var config = ctx.config();
final var databricksAccountId = config.get("databricksAccountId");
final var thisAwsCrossAccountPolicy = DatabricksFunctions.getAwsCrossAccountPolicy();
var crossAccountPolicy = new Policy("crossAccountPolicy", PolicyArgs.builder()
.policy(thisAwsCrossAccountPolicy.applyValue(getAwsCrossAccountPolicyResult -> getAwsCrossAccountPolicyResult.json()))
.build());
final var thisAwsAssumeRolePolicy = DatabricksFunctions.getAwsAssumeRolePolicy(GetAwsAssumeRolePolicyArgs.builder()
.externalId(databricksAccountId)
.build());
var crossAccountRole = new Role("crossAccountRole", RoleArgs.builder()
.assumeRolePolicy(thisAwsAssumeRolePolicy.applyValue(getAwsAssumeRolePolicyResult -> getAwsAssumeRolePolicyResult.json()))
.description("Grants Databricks full access to VPC resources")
.build());
var crossAccountRolePolicyAttachment = new RolePolicyAttachment("crossAccountRolePolicyAttachment", RolePolicyAttachmentArgs.builder()
.policyArn(crossAccountPolicy.arn())
.role(crossAccountRole.name())
.build());
var thisMwsCredentials = new MwsCredentials("thisMwsCredentials", MwsCredentialsArgs.builder()
.accountId(databricksAccountId)
.credentialsName(String.format("%s-creds", var_.prefix()))
.roleArn(crossAccountRole.arn())
.build(), CustomResourceOptions.builder()
.provider(databricks.mws())
.build());
}
}
import pulumi
import pulumi_aws as aws
import pulumi_databricks as databricks
config = pulumi.Config()
databricks_account_id = config.require_object("databricksAccountId")
this_aws_cross_account_policy = databricks.get_aws_cross_account_policy()
cross_account_policy = aws.iam.Policy("crossAccountPolicy", policy=this_aws_cross_account_policy.json)
this_aws_assume_role_policy = databricks.get_aws_assume_role_policy(external_id=databricks_account_id)
cross_account_role = aws.iam.Role("crossAccountRole",
assume_role_policy=this_aws_assume_role_policy.json,
description="Grants Databricks full access to VPC resources")
cross_account_role_policy_attachment = aws.iam.RolePolicyAttachment("crossAccountRolePolicyAttachment",
policy_arn=cross_account_policy.arn,
role=cross_account_role.name)
# required only in case of multi-workspace setup
this_mws_credentials = databricks.MwsCredentials("thisMwsCredentials",
account_id=databricks_account_id,
credentials_name=f"{var['prefix']}-creds",
role_arn=cross_account_role.arn,
opts=pulumi.ResourceOptions(provider=databricks["mws"]))
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as databricks from "@pulumi/databricks";
const config = new pulumi.Config();
const databricksAccountId = config.requireObject("databricksAccountId");
const thisAwsCrossAccountPolicy = databricks.getAwsCrossAccountPolicy({});
const crossAccountPolicy = new aws.iam.Policy("crossAccountPolicy", {policy: thisAwsCrossAccountPolicy.then(thisAwsCrossAccountPolicy => thisAwsCrossAccountPolicy.json)});
const thisAwsAssumeRolePolicy = databricks.getAwsAssumeRolePolicy({
externalId: databricksAccountId,
});
const crossAccountRole = new aws.iam.Role("crossAccountRole", {
assumeRolePolicy: thisAwsAssumeRolePolicy.then(thisAwsAssumeRolePolicy => thisAwsAssumeRolePolicy.json),
description: "Grants Databricks full access to VPC resources",
});
const crossAccountRolePolicyAttachment = new aws.iam.RolePolicyAttachment("crossAccountRolePolicyAttachment", {
policyArn: crossAccountPolicy.arn,
role: crossAccountRole.name,
});
// required only in case of multi-workspace setup
const thisMwsCredentials = new databricks.MwsCredentials("thisMwsCredentials", {
accountId: databricksAccountId,
credentialsName: `${_var.prefix}-creds`,
roleArn: crossAccountRole.arn,
}, {
provider: databricks.mws,
});
configuration:
databricksAccountId:
type: dynamic
resources:
crossAccountPolicy:
type: aws:iam:Policy
properties:
policy: ${thisAwsCrossAccountPolicy.json}
crossAccountRole:
type: aws:iam:Role
properties:
assumeRolePolicy: ${thisAwsAssumeRolePolicy.json}
description: Grants Databricks full access to VPC resources
crossAccountRolePolicyAttachment:
type: aws:iam:RolePolicyAttachment
properties:
policyArn: ${crossAccountPolicy.arn}
role: ${crossAccountRole.name}
# required only in case of multi-workspace setup
thisMwsCredentials:
type: databricks:MwsCredentials
properties:
accountId: ${databricksAccountId}
credentialsName: ${var.prefix}-creds
roleArn: ${crossAccountRole.arn}
options:
provider: ${databricks.mws}
variables:
thisAwsCrossAccountPolicy:
fn::invoke:
Function: databricks:getAwsCrossAccountPolicy
Arguments: {}
thisAwsAssumeRolePolicy:
fn::invoke:
Function: databricks:getAwsAssumeRolePolicy
Arguments:
externalId: ${databricksAccountId}
Using getAwsAssumeRolePolicy
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getAwsAssumeRolePolicy(args: GetAwsAssumeRolePolicyArgs, opts?: InvokeOptions): Promise<GetAwsAssumeRolePolicyResult>
function getAwsAssumeRolePolicyOutput(args: GetAwsAssumeRolePolicyOutputArgs, opts?: InvokeOptions): Output<GetAwsAssumeRolePolicyResult>
def get_aws_assume_role_policy(databricks_account_id: Optional[str] = None,
external_id: Optional[str] = None,
for_log_delivery: Optional[bool] = None,
opts: Optional[InvokeOptions] = None) -> GetAwsAssumeRolePolicyResult
def get_aws_assume_role_policy_output(databricks_account_id: Optional[pulumi.Input[str]] = None,
external_id: Optional[pulumi.Input[str]] = None,
for_log_delivery: Optional[pulumi.Input[bool]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetAwsAssumeRolePolicyResult]
func GetAwsAssumeRolePolicy(ctx *Context, args *GetAwsAssumeRolePolicyArgs, opts ...InvokeOption) (*GetAwsAssumeRolePolicyResult, error)
func GetAwsAssumeRolePolicyOutput(ctx *Context, args *GetAwsAssumeRolePolicyOutputArgs, opts ...InvokeOption) GetAwsAssumeRolePolicyResultOutput
> Note: This function is named GetAwsAssumeRolePolicy
in the Go SDK.
public static class GetAwsAssumeRolePolicy
{
public static Task<GetAwsAssumeRolePolicyResult> InvokeAsync(GetAwsAssumeRolePolicyArgs args, InvokeOptions? opts = null)
public static Output<GetAwsAssumeRolePolicyResult> Invoke(GetAwsAssumeRolePolicyInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetAwsAssumeRolePolicyResult> getAwsAssumeRolePolicy(GetAwsAssumeRolePolicyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: databricks:index/getAwsAssumeRolePolicy:getAwsAssumeRolePolicy
arguments:
# arguments dictionary
The following arguments are supported:
- External
Id string Account Id that could be found in the bottom left corner of Accounts Console.
- Databricks
Account stringId - For
Log boolDelivery Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- External
Id string Account Id that could be found in the bottom left corner of Accounts Console.
- Databricks
Account stringId - For
Log boolDelivery Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- external
Id String Account Id that could be found in the bottom left corner of Accounts Console.
- databricks
Account StringId - for
Log BooleanDelivery Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- external
Id string Account Id that could be found in the bottom left corner of Accounts Console.
- databricks
Account stringId - for
Log booleanDelivery Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- external_
id str Account Id that could be found in the bottom left corner of Accounts Console.
- databricks_
account_ strid - for_
log_ booldelivery Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- external
Id String Account Id that could be found in the bottom left corner of Accounts Console.
- databricks
Account StringId - for
Log BooleanDelivery Either or not this assume role policy should be created for usage log delivery. Defaults to false.
getAwsAssumeRolePolicy Result
The following output properties are available:
- External
Id string - Id string
The provider-assigned unique ID for this managed resource.
- Json string
AWS IAM Policy JSON document
- Databricks
Account stringId - For
Log boolDelivery
- External
Id string - Id string
The provider-assigned unique ID for this managed resource.
- Json string
AWS IAM Policy JSON document
- Databricks
Account stringId - For
Log boolDelivery
- external
Id String - id String
The provider-assigned unique ID for this managed resource.
- json String
AWS IAM Policy JSON document
- databricks
Account StringId - for
Log BooleanDelivery
- external
Id string - id string
The provider-assigned unique ID for this managed resource.
- json string
AWS IAM Policy JSON document
- databricks
Account stringId - for
Log booleanDelivery
- external_
id str - id str
The provider-assigned unique ID for this managed resource.
- json str
AWS IAM Policy JSON document
- databricks_
account_ strid - for_
log_ booldelivery
- external
Id String - id String
The provider-assigned unique ID for this managed resource.
- json String
AWS IAM Policy JSON document
- databricks
Account StringId - for
Log BooleanDelivery
Package Details
- Repository
- databricks pulumi/pulumi-databricks
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
databricks
Terraform Provider.