feat: wire use_interactive_session_role_for_api_calls to session management client#676
Open
tnightengale wants to merge 1 commit intoaws-samples:mainfrom
Open
Conversation
…gement client The flag was already implemented in impl.py for management API calls (DDL, schema ops), but GlueConnection.client — used for session lifecycle (CreateSession, GetSession, StopSession, DeleteSession) — never assumed the role. This completes cross-account support for interactive sessions. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR completes the implementation of the existing
use_interactive_session_role_for_api_callscredential flag for the interactive session management layer.Background: AWS Glue Interactive Sessions security model
Glue Interactive Sessions uses a two-principal model (docs):
CreateSession,RunStatement, etc.). Requiresglue:*+iam:PassRoleto the runtime role.role_arn) — passed toCreateSession. AWS Glue itself assumes this to execute Spark. Requires S3, CloudWatch, etc.In cross-account scenarios (client principal in account A, Glue resources in account B), the client principal must first assume
role_arnvia STS before it can make any Glue API calls.The bug
use_interactive_session_role_for_api_callswas already wired inimpl.py::get_connection()to assume the role before making Glue management API calls (DDL, schema operations). However,GlueConnection.client— the boto3 client used for session lifecycle (CreateSession,GetSession,StopSession,DeleteSession) — never applied the same logic. This meant cross-account users would fail at session creation even with the flag enabled.Changes
dbt/adapters/glue/gluedbapi/connection.py: In theclientproperty, add a branch that assumesrole_arnvia STS whenuse_interactive_session_role_for_api_calls=True, then uses the assumed credentials to create the Glue boto3 client for session management.tests/unit/gluedbapi/test_connection.py: Addtest_client_assumes_role_when_flag_enabledto verify the STS assume-role path is taken and assumed credentials are passed to the Glue client.README.md: Documentuse_interactive_session_role_for_api_callsin the profiles config table (it was present incredentials.pybut missing from docs).Note on impl.py inconsistency
impl.py::get_connection()has a minor inconsistency vs. this implementation: it does not passregion_nameto the STS client and usesRoleSessionName="dbt". This PR uses the more correct form (region_nameforwarded,RoleSessionName="dbt-glue-session"). Aligningimpl.pyis left as a separate concern.Test plan
test_client_assumes_role_when_flag_enabledpasses — verifies STSassume_roleis called with correctRoleArnandRoleSessionName, and assumed credentials are forwarded to the Glue clienttest_client_uses_credentials_retry_settingsstill passes — verifies default (non-assume-role) path is unchangeduse_interactive_session_role_for_api_calls: trueinprofiles.yml🤖 Generated with Claude Code