My AWS Glue crawler or ETL job fails with an AWS Lake Formation permissions error. The error happens although I configured the required AWS Identity and Access Management (IAM) permissions.
Resolution
Common permission errors include insufficient default permissions, or insufficient permissions to grant permissions to other users.
Insufficient default permissions
You must provide permissions on the default database for the role that's trying to query the table. If these permissions are missing, Lake Formation generates an exception similar to the following:
"AnalysisException: Unable to verify existence of default database: com.amazonaws.services.glue.model.AccessDeniedException: Insufficient Lake Formation permission(s) on default"
To grant default permissions:
- Log in to your Lake Formation console as a data lake administrator.
- On the left pane, open Permissions, Data lake permissions, and then choose Grant.
- On the Grant data lake permissions page, under Principals, choose your Glue job's principals category.
- Under IAM users and roles, select one or more IAM roles.
- Under LF-Tags or catalog resources, choose Named Data Catalog resources, then under Databases, choose Default. If you don't see a Default database, create one as described later.
- On the Grant data lake permissions page, under Database permissions, for Database permissions, select Describe.
- Choose the Grant button.
- Rerun your job in AWS Glue and verify that the job succeeds.
To create a Default database, if one doesn't already exist:
- Open Administrative roles and tasks, and under Database creators, choose Grant.
- In the Grant permissions dialog box, choose your Glue role.
- Under Grantable permissions, select the Create database permission for the specific access permissions to grant, and choose Grant. This configures the IAM role attached to the AWS Glue job as Database Creator in Lake Formation. Lake Formation then automatically creates a default database (if one isn't present), and grants required permissions for the role.
- Run your job in AWS Glue and verify that the job succeeds.
Insufficient permissions to grant permissions
You must have grantable permissions on an AWS Glue table when you grant permissions to the table. For example, to grant permissions through a CloudFormation template or CI/CD pipeline, you must have grantable permissions. If grantable permissions are missing, Lake Formation generates an exception like the following:
"AccessDeniedException: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Resource does not exist or requester is not authorized to access requested permissions."
- Grant grantable permissions to the table or database for a user or role with the named resource method.
- This user or role can grant permissions, for example, through AWS CloudFormation or a CICD pipeline, to other users or roles.
Related information
Managing Lake Formation permissions
Registering an Amazon S3 location