Assumed role debug

====================

This guide shows how to debug glue catalog authentication. We assume user install aws cli in the test machine.

1. make sure there is no config file in ~/.aws/ folder

we assumed your glue catalog data is in us-east-1 region.

aws glue get-databases --region us-east-1

Expected return if your machine attached with IAM role.

An error occurred (AccessDeniedException) when calling the GetDatabases operation: User: arn:aws:sts:: is not authorized to perform: glue:GetDatabases on resource: arn:aws:glue:us-east-1::catalog because no identity-based policy allows the glue:GetDatabases action

if your machine does not attach with IAM role, it will return.

Unable to locate credentials. You can configure credentials by running "aws configure".

2. get authentication related information using role arn.

Assumed that we have role arn "arn:aws:iam::015009999999:role/AssumeRoleReadOnly" run following commands in shell

aws sts assume-role --role-arn arn:aws:iam::015009999999:role/AssumeRoleReadOnly --role-session-name my-session

Expected return.

{
  "Credentials": {
    "AccessKeyId": "<AccessKeyId>",
    "SecretAccessKey": "<SecretAccessKey>",
    "SessionToken": "<SessionToken>",
    "Expiration": "2024-09-12T09:35:39Z"
  },
  "AssumedRoleUser": {
    "AssumedRoleId": "AROAQG7SLP4VAPPAYV3BP:my-session",
    "Arn": "arn:aws:sts::015009999999:assumed-role/AssumeRoleReadOnly/my-session"
  }
}

3. export upper steps' return to environment.

export AWS_ACCESS_KEY_ID=<AccessKeyId>
export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
export AWS_SESSION_TOKEN=<SessionToken>

replace , , using upper step's return.

4. Run the following command to verify that you assumed the IAM role.

aws sts get-caller-identity

Expected return.

{
    "UserId": "AROAQG7SLP4VAPPAYV3BP:my-session",
    "Account": "015009999999",
    "Arn": "arn:aws:sts::015009999999:assumed-role/AssumeRoleReadOnly/my-session"
}

Please notice that the return result must match the return in upper step 2.

5. Run related aws glue/s3 commands and expected this commands return correct results.

we assumed your glue catalog data is in us-east-1 region.

aws glue get-databases --region us-east-1

return examples:

{
    "DatabaseList": [
        {
            "Name": "bitcoin",
            "LocationUri": "s3://test/warehouse/test.db",
            "Parameters": {
                "owner": "hadoop"
            },
            "CreateTime": 1692792931.0,
            "CreateTableDefaultPermissions": [
                {
                    "Principal": {
                        "DataLakePrincipalIdentifier": "IAM_ALLOWED_PRINCIPALS"
                    },
                    "Permissions": [
                        "ALL"
                    ]
                }
            ],
            "CatalogId": "015009999999"
        }
    ],
    "NextToken": "=="
}

related s3 commands.

aws s3 ls s3://test/warehouse/test.db