微信公众号搜"智元新知"关注
微信扫一扫可直接关注哦!

服务无法承担角色错误 - 使用 JDBC 目标创建 AWS Glue cloudformation

如何解决服务无法承担角色错误 - 使用 JDBC 目标创建 AWS Glue cloudformation

Resources:
  glueCrawlerRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - glue.amazonaws.com
            Action:
              - 'sts:AssumeRole'
      Path: /service-role/
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSglueServiceRole'
      Policies:
        - PolicyName: glueAccess
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: kmsKeyAccess
                Effect: Allow
                Action:
                 - 'kms:Encrypt'
                 - 'kms:Decrypt'
                 - 'kms:ReEncrypt*'
                 - 'kms:GenerateDataKey*'
                 - 'kms:DescribeKey'
                Resource: !Ref KmsKeyArn
              - Sid: logKmsKey
                Effect: Allow
                Action:
                 - 'logs:AssociateKmsKey'
                Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws-glue/:*'


glueCrawler:
    Type: 'AWS::glue::Crawler'
    Properties:
      Name: !Sub '${AWS::StackName}'
      Role: !GetAtt glueCrawlerRole.Arn
      DatabaseName: !Sub '${AWS::StackName}-database'
      Targets:
        S3Targets:
          - Path: !Ref MyS3Bucket
        JdbcTargets: 
          - 
            ConnectionName: "XXXXXXX"
            Path: "ABCD/%"
        DatabaseName: "rds-xxxxx-abcd01-private-db"
        SchemaChangePolicy: 
          UpdateBehavior: "UPDATE_IN_DATABASE"
          DeleteBehavior: "DEPRECATE_IN_DATABASE"
        TablePrefix: "aurora_rds_"

服务无法承担角色 arn:aws:iam::xxxxxxxxxx:role/cua-enterprise-data-hub-dev-test-g-glueCrawlerRole-1FB4KV7YGL1QB。请验证角色的 TrustPolicy(服务:AWSglue;状态代码:400;错误代码:InvalidInputException;请求 ID:bb1b60a5-3301-40de-81bf-ea78018cffa9)

解决方法

您的资源不正确。而不是

Resource: 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws-glue/:*'
Resource: 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:*'

应该有(缺少 !Sub):

Resource: !Sub 'arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws-glue/:*'
Resource: !Sub 'arn:aws:glue:${AWS::Region}:${AWS::AccountId}:*'

版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。