Fix service credential lookup for create-federated-catalog for GLUE external HMS (#4382)

FastLee · web-flow · commit d39e426cd943 · 2025-08-21T13:49:13.000Z
closes #4381
diff --git a/src/databricks/labs/ucx/aws/credentials.py b/src/databricks/labs/ucx/aws/credentials.py
@@ -10,6 +10,7 @@
     Privilege,
     StorageCredentialInfo,
     ValidationResultResult,
+    CredentialPurpose,
 )
 
 from databricks.labs.ucx.assessment.aws import (
@@ -62,19 +63,19 @@ def list_glue(self) -> dict[str, str]:
         try:
             credential_response = self._ws.credentials.list_credentials()
         except NotFound:
-            logger.info('Could not retrieve credentials for Glue access. ')
-            return {}
-        if not credential_response or not isinstance(credential_response, dict):
-            logger.info('Could not retrieve credentials for Glue access. ')
-            return {}
-        credential_list = credential_response.get("credentials")
-        if not credential_list or not isinstance(credential_list, list):
-            logger.info('Could not retrieve credentials for Glue access. ')
+            logger.info('Could not retrieve credentials for Glue access. (NotFound)')
             return {}
+
         credentials = {
-            credential.get("name"): credential.get("aws_iam_role").get("role_arn")
-            for credential in credential_list
-            if credential.get("purpose") == "SERVICE"
+            credential.name: credential.aws_iam_role.role_arn
+            for credential in credential_response
+            if (
+                credential
+                and credential.name
+                and credential.aws_iam_role
+                and credential.aws_iam_role.role_arn
+                and credential.purpose == CredentialPurpose.SERVICE
+            )
         }
 
         logger.info(f"Found {len(credentials)} distinct IAM roles used in UC service credentials")
diff --git a/tests/unit/aws/test_credentials.py b/tests/unit/aws/test_credentials.py
@@ -12,6 +12,9 @@
     AzureServicePrincipal,
     Privilege,
     StorageCredentialInfo,
+    CredentialInfo,
+    AwsIamRole,
+    CredentialPurpose,
 )
 
 from databricks.labs.ucx.assessment.aws import AWSRoleAction, AWSCredentialCandidate, AWSResourceType
@@ -49,6 +52,20 @@ def credential_manager():
     ws.storage_credentials.create.side_effect = side_effect_create_aws_storage_credential
     ws.storage_credentials.validate.side_effect = side_effect_validate_storage_credential
 
+    credentials = [
+        CredentialInfo(
+            name="storage-credential-1",
+            aws_iam_role=AwsIamRole(role_arn="arn:aws:iam::123456789012:role/example-role-name"),
+            purpose=CredentialPurpose.STORAGE,
+        ),
+        CredentialInfo(
+            name="glue-credential-1",
+            aws_iam_role=AwsIamRole(role_arn="arn:aws:iam::123456789012:role/glue-role"),
+            purpose=CredentialPurpose.SERVICE,
+        ),
+    ]
+    ws.credentials.list_credentials.return_value = credentials
+
     return CredentialManager(ws)
 
 
@@ -220,3 +237,9 @@ def test_validate_storage_credentials_failed_operation(credential_manager):
 
     validation = credential_manager.validate(permission_mapping)
     assert validation.failures == ["LIST validation failed with message: fail"]
+
+
+def test_list_glue_credentials(credential_manager):
+    glue_credentials = credential_manager.list_glue()
+    assert len(glue_credentials) == 1
+    assert glue_credentials['glue-credential-1'] == "arn:aws:iam::123456789012:role/glue-role"
