如何解决服务无法承担角色错误 - 使用 JDBC 目标创建 AWS Glue cloudformation
Resources:
glueCrawlerRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- glue.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /service-role/
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSglueServiceRole'
Policies:
- PolicyName: glueAccess
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: kmsKeyAccess
Effect: Allow
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:DescribeKey'
Resource: !Ref KmsKeyArn
- Sid: logKmsKey
Effect: Allow
Action:
- 'logs:AssociateKmsKey'
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws-glue/:*'
glueCrawler:
Type: 'AWS::glue::Crawler'
Properties:
Name: !Sub '${AWS::StackName}'
Role: !GetAtt glueCrawlerRole.Arn
DatabaseName: !Sub '${AWS::StackName}-database'
Targets:
S3Targets:
- Path: !Ref MyS3Bucket
JdbcTargets:
-
ConnectionName: "XXXXXXX"
Path: "ABCD/%"
DatabaseName: "rds-xxxxx-abcd01-private-db"
SchemaChangePolicy:
UpdateBehavior: "UPDATE_IN_DATABASE"
DeleteBehavior: "DEPRECATE_IN_DATABASE"
TablePrefix: "aurora_rds_"
服务无法承担角色 arn:aws:iam::xxxxxxxxxx:role/cua-enterprise-data-hub-dev-test-g-glueCrawlerRole-1FB4KV7YGL1QB。请验证角色的 TrustPolicy(服务:AWSglue;状态代码:400;错误代码:InvalidInputException;请求 ID:bb1b60a5-3301-40de-81bf-ea78018cffa9)
解决方法
您的资源不正确。而不是
Resource: 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws-glue/:*'
Resource: 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:*'
应该有(缺少 !Sub
):
Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws-glue/:*'
Resource: !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:*'
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。