-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix wrong role create db#285 #286
Fix wrong role create db#285 #286
Conversation
PR in close collaboration with @nicor88 :) |
dbt/adapters/glue/impl.py
Outdated
@@ -78,21 +78,18 @@ def convert_datetime_type(cls, agate_table, col_idx): | |||
def get_connection(self): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as written in slack the issue in the current implementation is that session
is not used in case of use_interactive_session_role_for_api_calls. You can consider to use something like this:
def get_connection(self):
connection: GlueConnectionManager = self.connections.get_thread_connection()
glueSession: GlueConnection = connection.handle
if glueSession.credentials.role_arn is not None:
if glueSession.credentials.use_interactive_session_role_for_api_calls is True:
sts_client = boto3.client('sts')
assumed_role_object = sts_client.assume_role(
RoleArn=glueSession.credentials.role_arn,
RoleSessionName="dbt"
)
credentials = assumed_role_object['Credentials']
session = boto3.Session(
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken']
)
glue_client = boto3.client("glue", region_name=glueSession.credentials.region,
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'])
return glueSession, glue_client
glue_client = boto3.client("glue", region_name=glueSession.credentials.region)
return glueSession, glue_client
to keep supporting use_interactive_session_role_for_api_calls
parameter
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you pass use_interactive_session_role_for_api_calls in the profiles.yml ? Shouldn't it be default to True instead of False ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes can be put in the profiles as it's pick from credentials.
Imho I will make default to True, as imply that the user maintains only one role
This reverts commit 1416de8.
This reverts commit 1416de8.
This reverts commit 1416de8.
* Revert "Bump black from 23.11.0 to 23.12.0 (#303)" This reverts commit ee2aa88. * Revert "Update versions" This reverts commit f6a377e. * Revert "Adds minimal model contract enforcement for glue adapter (#297)" This reverts commit 4192346. * Revert "Fix wrong role create db#285 (#286)" This reverts commit 1416de8. * Revert "Glue session: enable users to fix their glue_session_id name and re-use it (#301)" This reverts commit d2d31f1. * Revert "Revert "Update versions"" This reverts commit 2b5e656. * Revert "Revert "Bump black from 23.11.0 to 23.12.0 (#303)"" This reverts commit 9a2b094. * Update CHANGELOG
…ive_session_role_for_api_calls
…_role_for_api_calls (#320)
resolves #285
Description
The CreateDabase operation is performed with the caller role. We want it to be performed by the glue session role_arn provided in profiles.yml.
Checklist
CHANGELOG.md
and added information about my change to the "dbt-glue next" section.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.