Docs Home
Databricks v1.67.0 published on Thursday, Apr 17, 2025 by Pulumi
databricks.getAwsAssumeRolePolicy
Explore with Pulumi AI
This data source constructs necessary AWS STS assume role policy for you.
Example Usage
End-to-end example of provisioning Cross-account IAM role with databricks.MwsCredentials and aws_iam_role:
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as databricks from "@pulumi/databricks";
const config = new pulumi.Config();
// Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
const databricksAccountId = config.requireObject<any>("databricksAccountId");
const _this = databricks.getAwsCrossAccountPolicy({});
const crossAccountPolicy = new aws.iam.Policy("cross_account_policy", {
name: `${prefix}-crossaccount-iam-policy`,
policy: _this.then(_this => _this.json),
});
const thisGetAwsAssumeRolePolicy = databricks.getAwsAssumeRolePolicy({
externalId: databricksAccountId,
});
const crossAccount = new aws.iam.Role("cross_account", {
name: `${prefix}-crossaccount-iam-role`,
assumeRolePolicy: thisGetAwsAssumeRolePolicy.then(thisGetAwsAssumeRolePolicy => thisGetAwsAssumeRolePolicy.json),
description: "Grants Databricks full access to VPC resources",
});
const crossAccountRolePolicyAttachment = new aws.iam.RolePolicyAttachment("cross_account", {
policyArn: crossAccountPolicy.arn,
role: crossAccount.name,
});
// required only in case of multi-workspace setup
const thisMwsCredentials = new databricks.MwsCredentials("this", {
accountId: databricksAccountId,
credentialsName: `${prefix}-creds`,
roleArn: crossAccount.arn,
});
import pulumi
import pulumi_aws as aws
import pulumi_databricks as databricks
config = pulumi.Config()
# Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
databricks_account_id = config.require_object("databricksAccountId")
this = databricks.get_aws_cross_account_policy()
cross_account_policy = aws.iam.Policy("cross_account_policy",
name=f"{prefix}-crossaccount-iam-policy",
policy=this.json)
this_get_aws_assume_role_policy = databricks.get_aws_assume_role_policy(external_id=databricks_account_id)
cross_account = aws.iam.Role("cross_account",
name=f"{prefix}-crossaccount-iam-role",
assume_role_policy=this_get_aws_assume_role_policy.json,
description="Grants Databricks full access to VPC resources")
cross_account_role_policy_attachment = aws.iam.RolePolicyAttachment("cross_account",
policy_arn=cross_account_policy.arn,
role=cross_account.name)
# required only in case of multi-workspace setup
this_mws_credentials = databricks.MwsCredentials("this",
account_id=databricks_account_id,
credentials_name=f"{prefix}-creds",
role_arn=cross_account.arn)
package main
import (
"fmt"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
cfg := config.New(ctx, "")
// Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
databricksAccountId := cfg.RequireObject("databricksAccountId")
this, err := databricks.GetAwsCrossAccountPolicy(ctx, &databricks.GetAwsCrossAccountPolicyArgs{}, nil)
if err != nil {
return err
}
crossAccountPolicy, err := iam.NewPolicy(ctx, "cross_account_policy", &iam.PolicyArgs{
Name: pulumi.Sprintf("%v-crossaccount-iam-policy", prefix),
Policy: pulumi.String(this.Json),
})
if err != nil {
return err
}
thisGetAwsAssumeRolePolicy, err := databricks.GetAwsAssumeRolePolicy(ctx, &databricks.GetAwsAssumeRolePolicyArgs{
ExternalId: databricksAccountId,
}, nil)
if err != nil {
return err
}
crossAccount, err := iam.NewRole(ctx, "cross_account", &iam.RoleArgs{
Name: pulumi.Sprintf("%v-crossaccount-iam-role", prefix),
AssumeRolePolicy: pulumi.String(thisGetAwsAssumeRolePolicy.Json),
Description: pulumi.String("Grants Databricks full access to VPC resources"),
})
if err != nil {
return err
}
_, err = iam.NewRolePolicyAttachment(ctx, "cross_account", &iam.RolePolicyAttachmentArgs{
PolicyArn: crossAccountPolicy.Arn,
Role: crossAccount.Name,
})
if err != nil {
return err
}
// required only in case of multi-workspace setup
_, err = databricks.NewMwsCredentials(ctx, "this", &databricks.MwsCredentialsArgs{
AccountId: pulumi.Any(databricksAccountId),
CredentialsName: pulumi.Sprintf("%v-creds", prefix),
RoleArn: crossAccount.Arn,
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Databricks = Pulumi.Databricks;
return await Deployment.RunAsync(() =>
{
var config = new Config();
// Account Id that could be found in the top right corner of https://accounts.cloud.databricks.com/
var databricksAccountId = config.RequireObject<dynamic>("databricksAccountId");
var @this = Databricks.GetAwsCrossAccountPolicy.Invoke();
var crossAccountPolicy = new Aws.Iam.Policy("cross_account_policy", new()
{
Name = $"{prefix}-crossaccount-iam-policy",
PolicyDocument = @this.Apply(@this => @this.Apply(getAwsCrossAccountPolicyResult => getAwsCrossAccountPolicyResult.Json)),
});
var thisGetAwsAssumeRolePolicy = Databricks.GetAwsAssumeRolePolicy.Invoke(new()
{
ExternalId = databricksAccountId,
});
var crossAccount = new Aws.Iam.Role("cross_account", new()
{
Name = $"{prefix}-crossaccount-iam-role",
AssumeRolePolicy = thisGetAwsAssumeRolePolicy.Apply(getAwsAssumeRolePolicyResult => getAwsAssumeRolePolicyResult.Json),
Description = "Grants Databricks full access to VPC resources",
});
var crossAccountRolePolicyAttachment = new Aws.Iam.RolePolicyAttachment("cross_account", new()
{
PolicyArn = crossAccountPolicy.Arn,
Role = crossAccount.Name,
});
// required only in case of multi-workspace setup
var thisMwsCredentials = new Databricks.MwsCredentials("this", new()
{
AccountId = databricksAccountId,
CredentialsName = $"{prefix}-creds",
RoleArn = crossAccount.Arn,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetAwsCrossAccountPolicyArgs;
import com.pulumi.aws.iam.Policy;
import com.pulumi.aws.iam.PolicyArgs;
import com.pulumi.databricks.inputs.GetAwsAssumeRolePolicyArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.iam.RolePolicyAttachment;
import com.pulumi.aws.iam.RolePolicyAttachmentArgs;
import com.pulumi.databricks.MwsCredentials;
import com.pulumi.databricks.MwsCredentialsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var config = ctx.config();
final var databricksAccountId = config.get("databricksAccountId");
final var this = DatabricksFunctions.getAwsCrossAccountPolicy(GetAwsCrossAccountPolicyArgs.builder()
.build());
var crossAccountPolicy = new Policy("crossAccountPolicy", PolicyArgs.builder()
.name(String.format("%s-crossaccount-iam-policy", prefix))
.policy(this_.json())
.build());
final var thisGetAwsAssumeRolePolicy = DatabricksFunctions.getAwsAssumeRolePolicy(GetAwsAssumeRolePolicyArgs.builder()
.externalId(databricksAccountId)
.build());
var crossAccount = new Role("crossAccount", RoleArgs.builder()
.name(String.format("%s-crossaccount-iam-role", prefix))
.assumeRolePolicy(thisGetAwsAssumeRolePolicy.json())
.description("Grants Databricks full access to VPC resources")
.build());
var crossAccountRolePolicyAttachment = new RolePolicyAttachment("crossAccountRolePolicyAttachment", RolePolicyAttachmentArgs.builder()
.policyArn(crossAccountPolicy.arn())
.role(crossAccount.name())
.build());
// required only in case of multi-workspace setup
var thisMwsCredentials = new MwsCredentials("thisMwsCredentials", MwsCredentialsArgs.builder()
.accountId(databricksAccountId)
.credentialsName(String.format("%s-creds", prefix))
.roleArn(crossAccount.arn())
.build());
}
}
configuration:
databricksAccountId:
type: dynamic
resources:
crossAccountPolicy:
type: aws:iam:Policy
name: cross_account_policy
properties:
name: ${prefix}-crossaccount-iam-policy
policy: ${this.json}
crossAccount:
type: aws:iam:Role
name: cross_account
properties:
name: ${prefix}-crossaccount-iam-role
assumeRolePolicy: ${thisGetAwsAssumeRolePolicy.json}
description: Grants Databricks full access to VPC resources
crossAccountRolePolicyAttachment:
type: aws:iam:RolePolicyAttachment
name: cross_account
properties:
policyArn: ${crossAccountPolicy.arn}
role: ${crossAccount.name}
# required only in case of multi-workspace setup
thisMwsCredentials:
type: databricks:MwsCredentials
name: this
properties:
accountId: ${databricksAccountId}
credentialsName: ${prefix}-creds
roleArn: ${crossAccount.arn}
variables:
this:
fn::invoke:
function: databricks:getAwsCrossAccountPolicy
arguments: {}
thisGetAwsAssumeRolePolicy:
fn::invoke:
function: databricks:getAwsAssumeRolePolicy
arguments:
externalId: ${databricksAccountId}
Related Resources
The following resources are used in the same context:
- Provisioning AWS Databricks workspaces with a Hub & Spoke firewall for data exfiltration protection guide
- databricks.getAwsBucketPolicy data to configure a simple access policy for AWS S3 buckets, so that Databricks can access data in it.
- databricks.getAwsCrossAccountPolicy data to construct the necessary AWS cross-account policy for you, which is based on official documentation.
Using getAwsAssumeRolePolicy
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getAwsAssumeRolePolicy(args: GetAwsAssumeRolePolicyArgs, opts?: InvokeOptions): Promise<GetAwsAssumeRolePolicyResult>
function getAwsAssumeRolePolicyOutput(args: GetAwsAssumeRolePolicyOutputArgs, opts?: InvokeOptions): Output<GetAwsAssumeRolePolicyResult>def get_aws_assume_role_policy(aws_partition: Optional[str] = None,
databricks_account_id: Optional[str] = None,
external_id: Optional[str] = None,
for_log_delivery: Optional[bool] = None,
opts: Optional[InvokeOptions] = None) -> GetAwsAssumeRolePolicyResult
def get_aws_assume_role_policy_output(aws_partition: Optional[pulumi.Input[str]] = None,
databricks_account_id: Optional[pulumi.Input[str]] = None,
external_id: Optional[pulumi.Input[str]] = None,
for_log_delivery: Optional[pulumi.Input[bool]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetAwsAssumeRolePolicyResult]func GetAwsAssumeRolePolicy(ctx *Context, args *GetAwsAssumeRolePolicyArgs, opts ...InvokeOption) (*GetAwsAssumeRolePolicyResult, error)
func GetAwsAssumeRolePolicyOutput(ctx *Context, args *GetAwsAssumeRolePolicyOutputArgs, opts ...InvokeOption) GetAwsAssumeRolePolicyResultOutput> Note: This function is named GetAwsAssumeRolePolicy in the Go SDK.
public static class GetAwsAssumeRolePolicy
{
public static Task<GetAwsAssumeRolePolicyResult> InvokeAsync(GetAwsAssumeRolePolicyArgs args, InvokeOptions? opts = null)
public static Output<GetAwsAssumeRolePolicyResult> Invoke(GetAwsAssumeRolePolicyInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetAwsAssumeRolePolicyResult> getAwsAssumeRolePolicy(GetAwsAssumeRolePolicyArgs args, InvokeOptions options)
public static Output<GetAwsAssumeRolePolicyResult> getAwsAssumeRolePolicy(GetAwsAssumeRolePolicyArgs args, InvokeOptions options)
fn::invoke:
function: databricks:index/getAwsAssumeRolePolicy:getAwsAssumeRolePolicy
arguments:
# arguments dictionaryThe following arguments are supported:
- External
Id stringThis property is required. 
Changes to this property will trigger replacement. - Account Id that could be found in the top right corner of Accounts Console.
- Aws
Partition - AWS partition. The options are
aws,aws-us-gov, oraws-us-gov-dod. Defaults toaws - Databricks
Account Id - For
Log Delivery - Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- External
Id stringThis property is required. Changes to this property will trigger replacement. - Account Id that could be found in the top right corner of Accounts Console.
- Aws
Partition - AWS partition. The options are
aws,aws-us-gov, oraws-us-gov-dod. Defaults toaws - Databricks
Account Id - For
Log Delivery - Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- external
Id StringThis property is required. Changes to this property will trigger replacement. - Account Id that could be found in the top right corner of Accounts Console.
- aws
Partition - AWS partition. The options are
aws,aws-us-gov, oraws-us-gov-dod. Defaults toaws - databricks
Account Id - for
Log Delivery - Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- external
Id stringThis property is required. Changes to this property will trigger replacement. - Account Id that could be found in the top right corner of Accounts Console.
- aws
Partition - AWS partition. The options are
aws,aws-us-gov, oraws-us-gov-dod. Defaults toaws - databricks
Account Id - for
Log Delivery - Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- external_
id strThis property is required. Changes to this property will trigger replacement. - Account Id that could be found in the top right corner of Accounts Console.
- aws_
partition - AWS partition. The options are
aws,aws-us-gov, oraws-us-gov-dod. Defaults toaws - databricks_
account_ id - for_
log_ delivery - Either or not this assume role policy should be created for usage log delivery. Defaults to false.
- external
Id StringThis property is required. Changes to this property will trigger replacement. - Account Id that could be found in the top right corner of Accounts Console.
- aws
Partition - AWS partition. The options are
aws,aws-us-gov, oraws-us-gov-dod. Defaults toaws - databricks
Account Id - for
Log Delivery - Either or not this assume role policy should be created for usage log delivery. Defaults to false.
getAwsAssumeRolePolicy Result
The following output properties are available:
- External
Id string - Id string
- The provider-assigned unique ID for this managed resource.
- Json string
- AWS IAM Policy JSON document
- Aws
Partition string - Databricks
Account stringId - For
Log boolDelivery
- External
Id string - Id string
- The provider-assigned unique ID for this managed resource.
- Json string
- AWS IAM Policy JSON document
- Aws
Partition string - Databricks
Account stringId - For
Log boolDelivery
- external
Id String - id String
- The provider-assigned unique ID for this managed resource.
- json String
- AWS IAM Policy JSON document
- aws
Partition String - databricks
Account StringId - for
Log BooleanDelivery
- external
Id string - id string
- The provider-assigned unique ID for this managed resource.
- json string
- AWS IAM Policy JSON document
- aws
Partition string - databricks
Account stringId - for
Log booleanDelivery
- external_
id str - id str
- The provider-assigned unique ID for this managed resource.
- json str
- AWS IAM Policy JSON document
- aws_
partition str - databricks_
account_ strid - for_
log_ booldelivery
- external
Id String - id String
- The provider-assigned unique ID for this managed resource.
- json String
- AWS IAM Policy JSON document
- aws
Partition String - databricks
Account StringId - for
Log BooleanDelivery
Package Details
- Repository
- databricks pulumi/pulumi-databricks
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
databricksTerraform Provider.