How can I troubleshoot Lake Formation permission errors in AWS Glue?
My AWS Glue crawler or ETL job fails with an AWS Lake Formation permissions error. The error happens although I configured the required AWS Identity and Access Management (IAM) permissions.
Resolution
Common permission errors include insufficient default permissions, or insufficient permissions to grant permissions to other users.
Insufficient default permissions
You must provide permissions on the default database for the role that's trying to query the table. If these permissions are missing, Lake Formation generates an exception similar to the following:
"AnalysisException: Unable to verify existence of default database: com.amazonaws.services.glue.model.AccessDeniedException: Insufficient Lake Formation permission(s) on default"
To grant default permissions:
- Log in to your Lake Formation console as a data lake administrator.
- On the left pane, open Permissions, Data lake permissions, and then choose Grant.
- On the Grant data lake permissions page, under Principals, choose your Glue job's principals category.
- Under IAM users and roles, select one or more IAM roles.
- Under LF-Tags or catalog resources, choose Named Data Catalog resources, then under Databases, choose Default. If you don't see a Default database, create one as described later.
- On the Grant data lake permissions page, under Database permissions, for Database permissions, select Describe.
- Choose the Grant button.
- Rerun your job in AWS Glue and verify that the job succeeds.
To create a Default database, if one doesn't already exist:
- Open Administrative roles and tasks, and under Database creators, choose Grant.
- In the Grant permissions dialog box, choose your Glue role.
- Under Grantable permissions, select the Create database permission for the specific access permissions to grant, and choose Grant. This configures the IAM role attached to the AWS Glue job as Database Creator in Lake Formation. Lake Formation then automatically creates a default database (if one isn't present), and grants required permissions for the role.
- Run your job in AWS Glue and verify that the job succeeds.
Insufficient permissions to grant permissions
You must have grantable permissions on an AWS Glue table when you grant permissions to the table. For example, to grant permissions through a CloudFormation template or CI/CD pipeline, you must have grantable permissions. If grantable permissions are missing, Lake Formation generates an exception like the following:
"AccessDeniedException: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Resource does not exist or requester is not authorized to access requested permissions."
- Grant grantable permissions to the table or database for a user or role with the named resource method.
- This user or role can grant permissions, for example, through AWS CloudFormation or a CICD pipeline, to other users or roles.
Related information
- Topics
- Analytics
- Language
- English
Hello, from Lake Formation I already granted both Data Location and Lake Formation Permissions to a Glue Role, however, still get S3 Access Denied when the Glue Role trying to write data to S3. Can Lake Formation vend credentials for Glue Role for writing to S3? In addition, I attach lakeformation:GetDataAccess to the Glue Role via inline policy, attached AWSGlueServiceRole policy also
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:GetRole", "iam:PassRole", "lakeformation:GetDataAccess", "lakeformation:GrantPermissions" ], "Resource": "*", "Effect": "Allow" }, { "Action": "s3:*", "Resource": [ "arn:aws:s3:::amazon-reviews-pds", "arn:aws:s3:::amazon-reviews-pds/*" ], "Effect": "Allow" } ] }
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Hi, any update on this? I'm facing the same problem
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I have a similar problem and attempting to call the LoadTable API of the Iceberg REST API on an iceberg table in the Glue Catalog. It simply returns a 403 with no explanation as to why the request is denied. I have all necessary permissions in Lake Formation for my role. Furthermore, other API calls to list namespaces and list tables in the same database are successful.
In CloudTrail, there are a handful of events related to my request, including GetDataAccess, GetTable, Decrypt (KMS), etc. However, none of these show the reason why LF is forbidding my access to the table's metadata. The closest thing to an explanation in these events are these properties in the GetTable event:
"eventTime": "2025-09-24T06:30Z", "eventSource": "glue.amazonaws.com", "eventName": "GetTable", "awsRegion": "<my_region>", "sourceIPAddress": "<my_IP>", "userAgent": "PyIceberg/0.10.0", "errorCode": "ForbiddenResponse", "requestParameters": { "prefix": "catalogs/<account_id>", "namespace": "<my_db>", "table": "<my_table>" }, "responseElements": null, "additionalEventData": { "insufficient LakeFormation Permissions": [], ... },
There is something wrong in LakeFormation that it cannot report the missing permission, and so there is no way to diagnose the problem.
Was that Knowledgebase article created as mentioned a few years ago?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 6 years ago
- AWS OFFICIALUpdated 2 years ago
