Assumed role debug
This guide shows how to debug glue catalog authentication. We assume user install aws cli in the test machine.
1. make sure there is no config file in ~/.aws/ folder
we assumed your glue catalog data is in us-east-1 region.
Expected return if your machine attached with IAM role.An error occurred (AccessDeniedException) when calling the GetDatabases operation: User: arn:aws:sts:: is not authorized to perform: glue:GetDatabases on resource: arn:aws:glue:us-east-1::catalog because no identity-based policy allows the glue:GetDatabases action
2. get authentication related information using role arn.
Assumed that we have role arn "arn:aws:iam::015009999999:role/AssumeRoleReadOnly" run following commands in shell
aws sts assume-role --role-arn arn:aws:iam::015009999999:role/AssumeRoleReadOnly --role-session-name my-session
{
"Credentials": {
"AccessKeyId": "<AccessKeyId>",
"SecretAccessKey": "<SecretAccessKey>",
"SessionToken": "<SessionToken>",
"Expiration": "2024-09-12T09:35:39Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROAQG7SLP4VAPPAYV3BP:my-session",
"Arn": "arn:aws:sts::015009999999:assumed-role/AssumeRoleReadOnly/my-session"
}
}
3. export upper steps' return to environment.
export AWS_ACCESS_KEY_ID=<AccessKeyId>
export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
export AWS_SESSION_TOKEN=<SessionToken>
4. Run the following command to verify that you assumed the IAM role.
Expected return.{
"UserId": "AROAQG7SLP4VAPPAYV3BP:my-session",
"Account": "015009999999",
"Arn": "arn:aws:sts::015009999999:assumed-role/AssumeRoleReadOnly/my-session"
}
5. Run related aws glue/s3 commands and expected this commands return correct results.
we assumed your glue catalog data is in us-east-1 region.
return examples:{
"DatabaseList": [
{
"Name": "bitcoin",
"LocationUri": "s3://test/warehouse/test.db",
"Parameters": {
"owner": "hadoop"
},
"CreateTime": 1692792931.0,
"CreateTableDefaultPermissions": [
{
"Principal": {
"DataLakePrincipalIdentifier": "IAM_ALLOWED_PRINCIPALS"
},
"Permissions": [
"ALL"
]
}
],
"CatalogId": "015009999999"
}
],
"NextToken": "=="
}