Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

On running command
databricks labs ucx migrate-credentials
this AWS CLI is getting called in method update_uc_trust_role()
iam update-assume-role-policy --role-name {role_name} --policy-document {self._aws_role_trust_doc(external_id)}

This is replacing the existing trust policy that I have set up in my role.

For example, if my role has this trust policy
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<acc_id>:root" ] }, "Action": "sts:AssumeRole" } }
after running the CLI command, the policy gets updated to
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<ext_id>" } } } ] }
And I lose my existing policy.

Expected Behavior

The new UC policy should get appended to my existing policies, like
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<acc_id>:root" ] }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<ext_id>" } } } ] }

Steps To Reproduce

Run on AWS workspace migration
databricks labs ucx migrate-credentials

Cloud

AWS

Operating System

macOS

Version

latest via Databricks CLI

Relevant log output

No response