Docs
PackagesDatabricks v1.38.0 published on Monday, Apr 29, 2024 by Pulumi
databricks.getAwsUnityCatalogPolicy
Explore with Pulumi AI
Note This resource has an evolving API, which may change in future versions of the provider. Please always consult latest documentation in case of any questions.
This data source constructs necessary AWS Unity Catalog policy for you, which is based on official documentation.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as databricks from "@pulumi/databricks";
const this = databricks.getAwsUnityCatalogPolicy({
awsAccountId: awsAccountId,
bucketName: "databricks-bucket",
roleName: "databricks-role",
kmsName: "databricks-kms",
});
const passroleForUc = aws.iam.getPolicyDocument({
statements: [
{
effect: "Allow",
actions: ["sts:AssumeRole"],
principals: [{
identifiers: ["arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"],
type: "AWS",
}],
conditions: [{
test: "StringEquals",
variable: "sts:ExternalId",
values: [databricksAccountId],
}],
},
{
sid: "ExplicitSelfRoleAssumption",
effect: "Allow",
actions: ["sts:AssumeRole"],
principals: [{
type: "AWS",
identifiers: [`arn:aws:iam::${awsAccountId}:root`],
}],
conditions: [{
test: "ArnLike",
variable: "aws:PrincipalArn",
values: [`arn:aws:iam::${awsAccountId}:role/${prefix}-uc-access`],
}],
},
],
});
const unityMetastore = new aws.iam.Policy("unity_metastore", {
name: `${prefix}-unity-catalog-metastore-access-iam-policy`,
policy: _this.then(_this => _this.json),
});
const metastoreDataAccess = new aws.iam.Role("metastore_data_access", {
name: `${prefix}-uc-access`,
assumeRolePolicy: passroleForUc.then(passroleForUc => passroleForUc.json),
managedPolicyArns: [unityMetastore.arn],
});
import pulumi
import pulumi_aws as aws
import pulumi_databricks as databricks
this = databricks.get_aws_unity_catalog_policy(aws_account_id=aws_account_id,
bucket_name="databricks-bucket",
role_name="databricks-role",
kms_name="databricks-kms")
passrole_for_uc = aws.iam.get_policy_document(statements=[
aws.iam.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=["sts:AssumeRole"],
principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
identifiers=["arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL"],
type="AWS",
)],
conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
test="StringEquals",
variable="sts:ExternalId",
values=[databricks_account_id],
)],
),
aws.iam.GetPolicyDocumentStatementArgs(
sid="ExplicitSelfRoleAssumption",
effect="Allow",
actions=["sts:AssumeRole"],
principals=[aws.iam.GetPolicyDocumentStatementPrincipalArgs(
type="AWS",
identifiers=[f"arn:aws:iam::{aws_account_id}:root"],
)],
conditions=[aws.iam.GetPolicyDocumentStatementConditionArgs(
test="ArnLike",
variable="aws:PrincipalArn",
values=[f"arn:aws:iam::{aws_account_id}:role/{prefix}-uc-access"],
)],
),
])
unity_metastore = aws.iam.Policy("unity_metastore",
name=f"{prefix}-unity-catalog-metastore-access-iam-policy",
policy=this.json)
metastore_data_access = aws.iam.Role("metastore_data_access",
name=f"{prefix}-uc-access",
assume_role_policy=passrole_for_uc.json,
managed_policy_arns=[unity_metastore.arn])
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
this, err := databricks.GetAwsUnityCatalogPolicy(ctx, &databricks.GetAwsUnityCatalogPolicyArgs{
AwsAccountId: awsAccountId,
BucketName: "databricks-bucket",
RoleName: "databricks-role",
KmsName: pulumi.StringRef("databricks-kms"),
}, nil);
if err != nil {
return err
}
passroleForUc, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"sts:AssumeRole",
},
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Identifiers: []string{
"arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
},
Type: "AWS",
},
},
Conditions: []iam.GetPolicyDocumentStatementCondition{
{
Test: "StringEquals",
Variable: "sts:ExternalId",
Values: interface{}{
databricksAccountId,
},
},
},
},
{
Sid: pulumi.StringRef("ExplicitSelfRoleAssumption"),
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"sts:AssumeRole",
},
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "AWS",
Identifiers: []string{
fmt.Sprintf("arn:aws:iam::%v:root", awsAccountId),
},
},
},
Conditions: []iam.GetPolicyDocumentStatementCondition{
{
Test: "ArnLike",
Variable: "aws:PrincipalArn",
Values: []string{
fmt.Sprintf("arn:aws:iam::%v:role/%v-uc-access", awsAccountId, prefix),
},
},
},
},
},
}, nil);
if err != nil {
return err
}
unityMetastore, err := iam.NewPolicy(ctx, "unity_metastore", &iam.PolicyArgs{
Name: pulumi.String(fmt.Sprintf("%v-unity-catalog-metastore-access-iam-policy", prefix)),
Policy: pulumi.String(this.Json),
})
if err != nil {
return err
}
_, err = iam.NewRole(ctx, "metastore_data_access", &iam.RoleArgs{
Name: pulumi.String(fmt.Sprintf("%v-uc-access", prefix)),
AssumeRolePolicy: pulumi.String(passroleForUc.Json),
ManagedPolicyArns: pulumi.StringArray{
unityMetastore.Arn,
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var @this = Databricks.GetAwsUnityCatalogPolicy.Invoke(new()
{
AwsAccountId = awsAccountId,
BucketName = "databricks-bucket",
RoleName = "databricks-role",
KmsName = "databricks-kms",
});
var passroleForUc = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"sts:AssumeRole",
},
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Identifiers = new[]
{
"arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
},
Type = "AWS",
},
},
Conditions = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "StringEquals",
Variable = "sts:ExternalId",
Values = new[]
{
databricksAccountId,
},
},
},
},
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "ExplicitSelfRoleAssumption",
Effect = "Allow",
Actions = new[]
{
"sts:AssumeRole",
},
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "AWS",
Identifiers = new[]
{
$"arn:aws:iam::{awsAccountId}:root",
},
},
},
Conditions = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "ArnLike",
Variable = "aws:PrincipalArn",
Values = new[]
{
$"arn:aws:iam::{awsAccountId}:role/{prefix}-uc-access",
},
},
},
},
},
});
var unityMetastore = new Aws.Iam.Policy("unity_metastore", new()
{
Name = $"{prefix}-unity-catalog-metastore-access-iam-policy",
PolicyDocument = @this.Apply(@this => @this.Apply(getAwsUnityCatalogPolicyResult => getAwsUnityCatalogPolicyResult.Json)),
});
var metastoreDataAccess = new Aws.Iam.Role("metastore_data_access", new()
{
Name = $"{prefix}-uc-access",
AssumeRolePolicy = passroleForUc.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
ManagedPolicyArns = new[]
{
unityMetastore.Arn,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetAwsUnityCatalogPolicyArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Policy;
import com.pulumi.aws.iam.PolicyArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var this = DatabricksFunctions.getAwsUnityCatalogPolicy(GetAwsUnityCatalogPolicyArgs.builder()
.awsAccountId(awsAccountId)
.bucketName("databricks-bucket")
.roleName("databricks-role")
.kmsName("databricks-kms")
.build());
final var passroleForUc = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(
GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("sts:AssumeRole")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.identifiers("arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL")
.type("AWS")
.build())
.conditions(GetPolicyDocumentStatementConditionArgs.builder()
.test("StringEquals")
.variable("sts:ExternalId")
.values(databricksAccountId)
.build())
.build(),
GetPolicyDocumentStatementArgs.builder()
.sid("ExplicitSelfRoleAssumption")
.effect("Allow")
.actions("sts:AssumeRole")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers(String.format("arn:aws:iam::%s:root", awsAccountId))
.build())
.conditions(GetPolicyDocumentStatementConditionArgs.builder()
.test("ArnLike")
.variable("aws:PrincipalArn")
.values(String.format("arn:aws:iam::%s:role/%s-uc-access", awsAccountId,prefix))
.build())
.build())
.build());
var unityMetastore = new Policy("unityMetastore", PolicyArgs.builder()
.name(String.format("%s-unity-catalog-metastore-access-iam-policy", prefix))
.policy(this_.json())
.build());
var metastoreDataAccess = new Role("metastoreDataAccess", RoleArgs.builder()
.name(String.format("%s-uc-access", prefix))
.assumeRolePolicy(passroleForUc.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
.managedPolicyArns(unityMetastore.arn())
.build());
}
}
resources:
unityMetastore:
type: aws:iam:Policy
name: unity_metastore
properties:
name: ${prefix}-unity-catalog-metastore-access-iam-policy
policy: ${this.json}
metastoreDataAccess:
type: aws:iam:Role
name: metastore_data_access
properties:
name: ${prefix}-uc-access
assumeRolePolicy: ${passroleForUc.json}
managedPolicyArns:
- ${unityMetastore.arn}
variables:
this:
fn::invoke:
Function: databricks:getAwsUnityCatalogPolicy
Arguments:
awsAccountId: ${awsAccountId}
bucketName: databricks-bucket
roleName: databricks-role
kmsName: databricks-kms
passroleForUc:
fn::invoke:
Function: aws:iam:getPolicyDocument
Arguments:
statements:
- effect: Allow
actions:
- sts:AssumeRole
principals:
- identifiers:
- arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL
type: AWS
conditions:
- test: StringEquals
variable: sts:ExternalId
values:
- ${databricksAccountId}
- sid: ExplicitSelfRoleAssumption
effect: Allow
actions:
- sts:AssumeRole
principals:
- type: AWS
identifiers:
- arn:aws:iam::${awsAccountId}:root
conditions:
- test: ArnLike
variable: aws:PrincipalArn
values:
- arn:aws:iam::${awsAccountId}:role/${prefix}-uc-access
Using getAwsUnityCatalogPolicy
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getAwsUnityCatalogPolicy(args: GetAwsUnityCatalogPolicyArgs, opts?: InvokeOptions): Promise<GetAwsUnityCatalogPolicyResult>
function getAwsUnityCatalogPolicyOutput(args: GetAwsUnityCatalogPolicyOutputArgs, opts?: InvokeOptions): Output<GetAwsUnityCatalogPolicyResult>def get_aws_unity_catalog_policy(aws_account_id: Optional[str] = None,
bucket_name: Optional[str] = None,
kms_name: Optional[str] = None,
role_name: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetAwsUnityCatalogPolicyResult
def get_aws_unity_catalog_policy_output(aws_account_id: Optional[pulumi.Input[str]] = None,
bucket_name: Optional[pulumi.Input[str]] = None,
kms_name: Optional[pulumi.Input[str]] = None,
role_name: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetAwsUnityCatalogPolicyResult]func GetAwsUnityCatalogPolicy(ctx *Context, args *GetAwsUnityCatalogPolicyArgs, opts ...InvokeOption) (*GetAwsUnityCatalogPolicyResult, error)
func GetAwsUnityCatalogPolicyOutput(ctx *Context, args *GetAwsUnityCatalogPolicyOutputArgs, opts ...InvokeOption) GetAwsUnityCatalogPolicyResultOutput> Note: This function is named GetAwsUnityCatalogPolicy in the Go SDK.
public static class GetAwsUnityCatalogPolicy
{
public static Task<GetAwsUnityCatalogPolicyResult> InvokeAsync(GetAwsUnityCatalogPolicyArgs args, InvokeOptions? opts = null)
public static Output<GetAwsUnityCatalogPolicyResult> Invoke(GetAwsUnityCatalogPolicyInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetAwsUnityCatalogPolicyResult> getAwsUnityCatalogPolicy(GetAwsUnityCatalogPolicyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: databricks:index/getAwsUnityCatalogPolicy:getAwsUnityCatalogPolicy
arguments:
# arguments dictionaryThe following arguments are supported:
- Aws
Account stringId - The Account ID of the current AWS account (not your Databricks account).
- Bucket
Name string - The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
- Role
Name string - The name of the AWS IAM role that you created in the previous step in the official documentation.
- Kms
Name string - If encryption is enabled, provide the name of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.
- Aws
Account stringId - The Account ID of the current AWS account (not your Databricks account).
- Bucket
Name string - The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
- Role
Name string - The name of the AWS IAM role that you created in the previous step in the official documentation.
- Kms
Name string - If encryption is enabled, provide the name of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.
- aws
Account StringId - The Account ID of the current AWS account (not your Databricks account).
- bucket
Name String - The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
- role
Name String - The name of the AWS IAM role that you created in the previous step in the official documentation.
- kms
Name String - If encryption is enabled, provide the name of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.
- aws
Account stringId - The Account ID of the current AWS account (not your Databricks account).
- bucket
Name string - The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
- role
Name string - The name of the AWS IAM role that you created in the previous step in the official documentation.
- kms
Name string - If encryption is enabled, provide the name of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.
- aws_
account_ strid - The Account ID of the current AWS account (not your Databricks account).
- bucket_
name str - The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
- role_
name str - The name of the AWS IAM role that you created in the previous step in the official documentation.
- kms_
name str - If encryption is enabled, provide the name of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.
- aws
Account StringId - The Account ID of the current AWS account (not your Databricks account).
- bucket
Name String - The name of the S3 bucket used as root storage location for managed tables in Unity Catalog.
- role
Name String - The name of the AWS IAM role that you created in the previous step in the official documentation.
- kms
Name String - If encryption is enabled, provide the name of the KMS key that encrypts the S3 bucket contents. If encryption is disabled, do not provide this argument.
getAwsUnityCatalogPolicy Result
The following output properties are available:
- Aws
Account stringId - Bucket
Name string - Id string
- The provider-assigned unique ID for this managed resource.
- Json string
- AWS IAM Policy JSON document
- Role
Name string - Kms
Name string
- Aws
Account stringId - Bucket
Name string - Id string
- The provider-assigned unique ID for this managed resource.
- Json string
- AWS IAM Policy JSON document
- Role
Name string - Kms
Name string
- aws
Account StringId - bucket
Name String - id String
- The provider-assigned unique ID for this managed resource.
- json String
- AWS IAM Policy JSON document
- role
Name String - kms
Name String
- aws
Account stringId - bucket
Name string - id string
- The provider-assigned unique ID for this managed resource.
- json string
- AWS IAM Policy JSON document
- role
Name string - kms
Name string
- aws_
account_ strid - bucket_
name str - id str
- The provider-assigned unique ID for this managed resource.
- json str
- AWS IAM Policy JSON document
- role_
name str - kms_
name str
- aws
Account StringId - bucket
Name String - id String
- The provider-assigned unique ID for this managed resource.
- json String
- AWS IAM Policy JSON document
- role
Name String - kms
Name String
Package Details
- Repository
- databricks pulumi/pulumi-databricks
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
databricksTerraform Provider.