databricks.getAwsUnityCatalogAssumeRolePolicy

Explore with Pulumi AI

Databricks v1.65.0 published on Wednesday, Apr 9, 2025 by Pulumi

Example Usage

TypeScript
Python
Go
C#
Java
YAML

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as databricks from "@pulumi/databricks";

const _this = databricks.getAwsUnityCatalogPolicy({
    awsAccountId: awsAccountId,
    bucketName: "databricks-bucket",
    roleName: `${prefix}-uc-access`,
    kmsName: "arn:aws:kms:us-west-2:111122223333:key/databricks-kms",
});
const thisGetAwsUnityCatalogAssumeRolePolicy = databricks.getAwsUnityCatalogAssumeRolePolicy({
    awsAccountId: awsAccountId,
    roleName: `${prefix}-uc-access`,
    externalId: "12345",
});
const unityMetastore = new aws.iam.Policy("unity_metastore", {
    name: `${prefix}-unity-catalog-metastore-access-iam-policy`,
    policy: _this.then(_this => _this.json),
});
const metastoreDataAccess = new aws.iam.Role("metastore_data_access", {
    name: `${prefix}-uc-access`,
    assumeRolePolicy: thisGetAwsUnityCatalogAssumeRolePolicy.then(thisGetAwsUnityCatalogAssumeRolePolicy => thisGetAwsUnityCatalogAssumeRolePolicy.json),
    managedPolicyArns: [unityMetastore.arn],
});

import pulumi
import pulumi_aws as aws
import pulumi_databricks as databricks

this = databricks.get_aws_unity_catalog_policy(aws_account_id=aws_account_id,
    bucket_name="databricks-bucket",
    role_name=f"{prefix}-uc-access",
    kms_name="arn:aws:kms:us-west-2:111122223333:key/databricks-kms")
this_get_aws_unity_catalog_assume_role_policy = databricks.get_aws_unity_catalog_assume_role_policy(aws_account_id=aws_account_id,
    role_name=f"{prefix}-uc-access",
    external_id="12345")
unity_metastore = aws.iam.Policy("unity_metastore",
    name=f"{prefix}-unity-catalog-metastore-access-iam-policy",
    policy=this.json)
metastore_data_access = aws.iam.Role("metastore_data_access",
    name=f"{prefix}-uc-access",
    assume_role_policy=this_get_aws_unity_catalog_assume_role_policy.json,
    managed_policy_arns=[unity_metastore.arn])

package main

import (
	"fmt"

	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi-databricks/sdk/go/databricks"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		this, err := databricks.GetAwsUnityCatalogPolicy(ctx, &databricks.GetAwsUnityCatalogPolicyArgs{
			AwsAccountId: awsAccountId,
			BucketName:   "databricks-bucket",
			RoleName:     fmt.Sprintf("%v-uc-access", prefix),
			KmsName:      pulumi.StringRef("arn:aws:kms:us-west-2:111122223333:key/databricks-kms"),
		}, nil)
		if err != nil {
			return err
		}
		thisGetAwsUnityCatalogAssumeRolePolicy, err := databricks.GetAwsUnityCatalogAssumeRolePolicy(ctx, &databricks.GetAwsUnityCatalogAssumeRolePolicyArgs{
			AwsAccountId: awsAccountId,
			RoleName:     fmt.Sprintf("%v-uc-access", prefix),
			ExternalId:   "12345",
		}, nil)
		if err != nil {
			return err
		}
		unityMetastore, err := iam.NewPolicy(ctx, "unity_metastore", &iam.PolicyArgs{
			Name:   pulumi.Sprintf("%v-unity-catalog-metastore-access-iam-policy", prefix),
			Policy: pulumi.String(this.Json),
		})
		if err != nil {
			return err
		}
		_, err = iam.NewRole(ctx, "metastore_data_access", &iam.RoleArgs{
			Name:             pulumi.Sprintf("%v-uc-access", prefix),
			AssumeRolePolicy: pulumi.String(thisGetAwsUnityCatalogAssumeRolePolicy.Json),
			ManagedPolicyArns: pulumi.StringArray{
				unityMetastore.Arn,
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Databricks = Pulumi.Databricks;

return await Deployment.RunAsync(() => 
{
    var @this = Databricks.GetAwsUnityCatalogPolicy.Invoke(new()
    {
        AwsAccountId = awsAccountId,
        BucketName = "databricks-bucket",
        RoleName = $"{prefix}-uc-access",
        KmsName = "arn:aws:kms:us-west-2:111122223333:key/databricks-kms",
    });

    var thisGetAwsUnityCatalogAssumeRolePolicy = Databricks.GetAwsUnityCatalogAssumeRolePolicy.Invoke(new()
    {
        AwsAccountId = awsAccountId,
        RoleName = $"{prefix}-uc-access",
        ExternalId = "12345",
    });

    var unityMetastore = new Aws.Iam.Policy("unity_metastore", new()
    {
        Name = $"{prefix}-unity-catalog-metastore-access-iam-policy",
        PolicyDocument = @this.Apply(@this => @this.Apply(getAwsUnityCatalogPolicyResult => getAwsUnityCatalogPolicyResult.Json)),
    });

    var metastoreDataAccess = new Aws.Iam.Role("metastore_data_access", new()
    {
        Name = $"{prefix}-uc-access",
        AssumeRolePolicy = thisGetAwsUnityCatalogAssumeRolePolicy.Apply(getAwsUnityCatalogAssumeRolePolicyResult => getAwsUnityCatalogAssumeRolePolicyResult.Json),
        ManagedPolicyArns = new[]
        {
            unityMetastore.Arn,
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.databricks.DatabricksFunctions;
import com.pulumi.databricks.inputs.GetAwsUnityCatalogPolicyArgs;
import com.pulumi.databricks.inputs.GetAwsUnityCatalogAssumeRolePolicyArgs;
import com.pulumi.aws.iam.Policy;
import com.pulumi.aws.iam.PolicyArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var this = DatabricksFunctions.getAwsUnityCatalogPolicy(GetAwsUnityCatalogPolicyArgs.builder()
            .awsAccountId(awsAccountId)
            .bucketName("databricks-bucket")
            .roleName(String.format("%s-uc-access", prefix))
            .kmsName("arn:aws:kms:us-west-2:111122223333:key/databricks-kms")
            .build());

        final var thisGetAwsUnityCatalogAssumeRolePolicy = DatabricksFunctions.getAwsUnityCatalogAssumeRolePolicy(GetAwsUnityCatalogAssumeRolePolicyArgs.builder()
            .awsAccountId(awsAccountId)
            .roleName(String.format("%s-uc-access", prefix))
            .externalId("12345")
            .build());

        var unityMetastore = new Policy("unityMetastore", PolicyArgs.builder()
            .name(String.format("%s-unity-catalog-metastore-access-iam-policy", prefix))
            .policy(this_.json())
            .build());

        var metastoreDataAccess = new Role("metastoreDataAccess", RoleArgs.builder()
            .name(String.format("%s-uc-access", prefix))
            .assumeRolePolicy(thisGetAwsUnityCatalogAssumeRolePolicy.json())
            .managedPolicyArns(unityMetastore.arn())
            .build());

    }
}

resources:
  unityMetastore:
    type: aws:iam:Policy
    name: unity_metastore
    properties:
      name: ${prefix}-unity-catalog-metastore-access-iam-policy
      policy: ${this.json}
  metastoreDataAccess:
    type: aws:iam:Role
    name: metastore_data_access
    properties:
      name: ${prefix}-uc-access
      assumeRolePolicy: ${thisGetAwsUnityCatalogAssumeRolePolicy.json}
      managedPolicyArns:
        - ${unityMetastore.arn}
variables:
  this:
    fn::invoke:
      function: databricks:getAwsUnityCatalogPolicy
      arguments:
        awsAccountId: ${awsAccountId}
        bucketName: databricks-bucket
        roleName: ${prefix}-uc-access
        kmsName: arn:aws:kms:us-west-2:111122223333:key/databricks-kms
  thisGetAwsUnityCatalogAssumeRolePolicy:
    fn::invoke:
      function: databricks:getAwsUnityCatalogAssumeRolePolicy
      arguments:
        awsAccountId: ${awsAccountId}
        roleName: ${prefix}-uc-access
        externalId: '12345'

Using getAwsUnityCatalogAssumeRolePolicy

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

TypeScript
Python
Go
C#
Java
YAML

function getAwsUnityCatalogAssumeRolePolicy(args: GetAwsUnityCatalogAssumeRolePolicyArgs, opts?: InvokeOptions): Promise<GetAwsUnityCatalogAssumeRolePolicyResult>
function getAwsUnityCatalogAssumeRolePolicyOutput(args: GetAwsUnityCatalogAssumeRolePolicyOutputArgs, opts?: InvokeOptions): Output<GetAwsUnityCatalogAssumeRolePolicyResult>

def get_aws_unity_catalog_assume_role_policy(aws_account_id: Optional[str] = None,
                                             aws_partition: Optional[str] = None,
                                             external_id: Optional[str] = None,
                                             role_name: Optional[str] = None,
                                             unity_catalog_iam_arn: Optional[str] = None,
                                             opts: Optional[InvokeOptions] = None) -> GetAwsUnityCatalogAssumeRolePolicyResult
def get_aws_unity_catalog_assume_role_policy_output(aws_account_id: Optional[pulumi.Input[str]] = None,
                                             aws_partition: Optional[pulumi.Input[str]] = None,
                                             external_id: Optional[pulumi.Input[str]] = None,
                                             role_name: Optional[pulumi.Input[str]] = None,
                                             unity_catalog_iam_arn: Optional[pulumi.Input[str]] = None,
                                             opts: Optional[InvokeOptions] = None) -> Output[GetAwsUnityCatalogAssumeRolePolicyResult]

func GetAwsUnityCatalogAssumeRolePolicy(ctx *Context, args *GetAwsUnityCatalogAssumeRolePolicyArgs, opts ...InvokeOption) (*GetAwsUnityCatalogAssumeRolePolicyResult, error)
func GetAwsUnityCatalogAssumeRolePolicyOutput(ctx *Context, args *GetAwsUnityCatalogAssumeRolePolicyOutputArgs, opts ...InvokeOption) GetAwsUnityCatalogAssumeRolePolicyResultOutput

> Note: This function is named GetAwsUnityCatalogAssumeRolePolicy in the Go SDK.

public static class GetAwsUnityCatalogAssumeRolePolicy 
{
    public static Task<GetAwsUnityCatalogAssumeRolePolicyResult> InvokeAsync(GetAwsUnityCatalogAssumeRolePolicyArgs args, InvokeOptions? opts = null)
    public static Output<GetAwsUnityCatalogAssumeRolePolicyResult> Invoke(GetAwsUnityCatalogAssumeRolePolicyInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetAwsUnityCatalogAssumeRolePolicyResult> getAwsUnityCatalogAssumeRolePolicy(GetAwsUnityCatalogAssumeRolePolicyArgs args, InvokeOptions options)
public static Output<GetAwsUnityCatalogAssumeRolePolicyResult> getAwsUnityCatalogAssumeRolePolicy(GetAwsUnityCatalogAssumeRolePolicyArgs args, InvokeOptions options)

fn::invoke:
  function: databricks:index/getAwsUnityCatalogAssumeRolePolicy:getAwsUnityCatalogAssumeRolePolicy
  arguments:
    # arguments dictionary

The following arguments are supported:

AwsAccountId string: The Account ID of the current AWS account (not your Databricks account).
ExternalId string: The storage credential external id.
RoleName string: The name of the AWS IAM role to be created for Unity Catalog.
AwsPartition string: AWS partition. The options are aws,aws-us-gov or aws-us-gov-dod. Defaults to aws
UnityCatalogIamArn string: The Databricks Unity Catalog IAM Role ARN. Defaults to arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL on standard AWS partition selection, arn:aws-us-gov:iam::044793339203:role/unity-catalog-prod-UCMasterRole-1QRFA8SGY15OJ on GovCloud partition selection, and arn:aws-us-gov:iam::170661010020:role/unity-catalog-prod-UCMasterRole-1DI6DL6ZP26AS on GovCloud DoD partition selection

AwsAccountId string: The Account ID of the current AWS account (not your Databricks account).
ExternalId string: The storage credential external id.
RoleName string: The name of the AWS IAM role to be created for Unity Catalog.
AwsPartition string: AWS partition. The options are aws,aws-us-gov or aws-us-gov-dod. Defaults to aws
UnityCatalogIamArn string: The Databricks Unity Catalog IAM Role ARN. Defaults to arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL on standard AWS partition selection, arn:aws-us-gov:iam::044793339203:role/unity-catalog-prod-UCMasterRole-1QRFA8SGY15OJ on GovCloud partition selection, and arn:aws-us-gov:iam::170661010020:role/unity-catalog-prod-UCMasterRole-1DI6DL6ZP26AS on GovCloud DoD partition selection

awsAccountId String: The Account ID of the current AWS account (not your Databricks account).
externalId String: The storage credential external id.
roleName String: The name of the AWS IAM role to be created for Unity Catalog.
awsPartition String: AWS partition. The options are aws,aws-us-gov or aws-us-gov-dod. Defaults to aws
unityCatalogIamArn String: The Databricks Unity Catalog IAM Role ARN. Defaults to arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL on standard AWS partition selection, arn:aws-us-gov:iam::044793339203:role/unity-catalog-prod-UCMasterRole-1QRFA8SGY15OJ on GovCloud partition selection, and arn:aws-us-gov:iam::170661010020:role/unity-catalog-prod-UCMasterRole-1DI6DL6ZP26AS on GovCloud DoD partition selection

awsAccountId string: The Account ID of the current AWS account (not your Databricks account).
externalId string: The storage credential external id.
roleName string: The name of the AWS IAM role to be created for Unity Catalog.
awsPartition string: AWS partition. The options are aws,aws-us-gov or aws-us-gov-dod. Defaults to aws
unityCatalogIamArn string: The Databricks Unity Catalog IAM Role ARN. Defaults to arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL on standard AWS partition selection, arn:aws-us-gov:iam::044793339203:role/unity-catalog-prod-UCMasterRole-1QRFA8SGY15OJ on GovCloud partition selection, and arn:aws-us-gov:iam::170661010020:role/unity-catalog-prod-UCMasterRole-1DI6DL6ZP26AS on GovCloud DoD partition selection

aws_account_id str: The Account ID of the current AWS account (not your Databricks account).
external_id str: The storage credential external id.
role_name str: The name of the AWS IAM role to be created for Unity Catalog.
aws_partition str: AWS partition. The options are aws,aws-us-gov or aws-us-gov-dod. Defaults to aws
unity_catalog_iam_arn str: The Databricks Unity Catalog IAM Role ARN. Defaults to arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL on standard AWS partition selection, arn:aws-us-gov:iam::044793339203:role/unity-catalog-prod-UCMasterRole-1QRFA8SGY15OJ on GovCloud partition selection, and arn:aws-us-gov:iam::170661010020:role/unity-catalog-prod-UCMasterRole-1DI6DL6ZP26AS on GovCloud DoD partition selection

awsAccountId String: The Account ID of the current AWS account (not your Databricks account).
externalId String: The storage credential external id.
roleName String: The name of the AWS IAM role to be created for Unity Catalog.
awsPartition String: AWS partition. The options are aws,aws-us-gov or aws-us-gov-dod. Defaults to aws
unityCatalogIamArn String: The Databricks Unity Catalog IAM Role ARN. Defaults to arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL on standard AWS partition selection, arn:aws-us-gov:iam::044793339203:role/unity-catalog-prod-UCMasterRole-1QRFA8SGY15OJ on GovCloud partition selection, and arn:aws-us-gov:iam::170661010020:role/unity-catalog-prod-UCMasterRole-1DI6DL6ZP26AS on GovCloud DoD partition selection

getAwsUnityCatalogAssumeRolePolicy Result

The following output properties are available:

AwsAccountId string
ExternalId string
Id string
Json string: AWS IAM Policy JSON document for assume role
RoleName string
UnityCatalogIamArn string
AwsPartition string

AwsAccountId string
ExternalId string
Id string
Json string: AWS IAM Policy JSON document for assume role
RoleName string
UnityCatalogIamArn string
AwsPartition string

awsAccountId String
externalId String
id String
json String: AWS IAM Policy JSON document for assume role
roleName String
unityCatalogIamArn String
awsPartition String

awsAccountId string
externalId string
id string
json string: AWS IAM Policy JSON document for assume role
roleName string
unityCatalogIamArn string
awsPartition string

aws_account_id str
external_id str
id str
json str: AWS IAM Policy JSON document for assume role
role_name str
unity_catalog_iam_arn str
aws_partition str

awsAccountId String
externalId String
id String
json String: AWS IAM Policy JSON document for assume role
roleName String
unityCatalogIamArn String
awsPartition String

Package Details

Repository: databricks pulumi/pulumi-databricks
License: Apache-2.0
Notes: This Pulumi package is based on the databricks Terraform Provider.

Databricks v1.65.0 published on Wednesday, Apr 9, 2025 by Pulumi

pulumi/pulumi-databricks

databricks.getAwsUnityCatalogAssumeRolePolicy

On this page

On this page

Example Usage

Using getAwsUnityCatalogAssumeRolePolicy

getAwsUnityCatalogAssumeRolePolicy Result

Package Details

On this page

On this page