You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@iceberg.apache.org by GitBox <gi...@apache.org> on 2022/08/09 18:36:20 UTC

[GitHub] [iceberg] kbendick commented on issue #5381: Problem with assume-role

kbendick commented on issue #5381:
URL: https://github.com/apache/iceberg/issues/5381#issuecomment-1209742236

   I work at Tabular and as such don't use the Glue catalog super regularly in my day to day, but the error message mentions that the assumed role, `role_a`, is not authorized to perform `glue:GetUserDefinedFunctions` on ` arn:aws:glue:us-east-2:account_b:catalog` because there's no resource policy on ` arn:aws:glue:us-east-2:account_b:catalog` that allows anything to access that.
   
   I think this is one of those cases where permissions need to be defined bidirectionally -- that is, not only does the `role_a` or `role_b` need to be allowed `glue:GetUserDefinedFunctions` specifically on this resource (or on `*`), but there needs to be a corresponding policy _on that resource_ that allows those roles (or the primary role) to access it in the same way.
   
   
   To troubleshoot:
   1, I'd try to make sure that the original role (the one that is being asxsumed) can perform the operation.
   2. If the above can be done, then the policies from the above can be cherry-picked for the assume role.
   
   If you get the first role to work, but not the assumed role and you're sure that you have the same permission sets on both, then this might be a problem within AWS assume role. But I think that the bidirectional setup is required when going across accounts (such that not only can `role_a` assume `role_b`, but also that `role_b` is explicitly allowed by those resources to perform those operations).
   
   This document probably explains it much better than I can: https://docs.aws.amazon.com/glue/latest/dg/cross-account-access.html


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@iceberg.apache.org
For additional commands, e-mail: issues-help@iceberg.apache.org