LakeFormation deployment with Terraform

Question

I'm working on deploying to LakeFormation via Terraform. Specifically, granting data location access to a lambda role. I'm getting an error when the role/user I'm deploying with in Terraform isn't an admin on LakeFormation (I haven't tried playing around w/ granular policies on the caller yet). Has anyone come across the same issue and what was the resolution? The caller is a service user which is used by other groups across the org, so I would ideally like to avoid elevating any more of its permissions.

Configuration : 
```
resource "aws_lakeformation_permissions" "datalake-permissions" {
  principal   = aws_iam_role.lambda-role.arn
  permissions = ["DATA_LOCATION_ACCESS"]

data_location {
    arn = data.aws_s3_bucket.datalake-bucket.arn
  }
}
```

This is the error : 
`error creating Lake Formation Permissions (input: {
  Permissions: ["DATA_LOCATION_ACCESS"],
  Principal: {
  DataLakePrincipalIdentifier: "arn:aws:iam::{account_id}:role/lambda_role"
  },
  Resource: {
    DataLocation: {
      ResourceArn: "arn:aws:s3:::{my-bucket}"
   }
  }
}): AccessDeniedException: Resource does not exist or requester is not authorized to access requested permissions.`

Also made sure the bucket exists and isn't an issue.

Answer

Hello,

I see you’re getting AccessDeniedException when you’re trying to create a resource of “aws_lakeformation_permissions” using Terraform script. It seems the IAM role/user which is used to create this resource doesn’t have the required permissions to create the Lake Formation Permissions.

As you might know that all principals, including the data lake administrator, need the following AWS Identity and Access Management (IAM) permissions to grant or revoke AWS Lake Formation Data Catalog permissions or data location permissions with the Lake Formation API or the AWS CLI:

————
* -> lakeformation:GrantPermissions
* -> lakeformation:BatchGrantPermissions
* -> lakeformation:RevokePermissions
* -> lakeformation:BatchRevokePermissions
* -> glue:GetTable or glue:GetDatabase for a table or database that you're granting permissions on with the named resource method

————

You can find more details on the documentation: https://docs.aws.amazon.com/lake-formation/latest/dg/required-permissions-for-grant.html

I would suggest you to try giving the above permissions mentioned in the documentation to the role/user which is being used by the Terraform script to create the resources.

If you still get the error, then I would suggest you to open a support case with AWS for further troubleshooting. You can use the following link for the same: https://support.console.aws.amazon.com/support/home#/case/create

LakeFormation deployment with Terraform

관련 콘텐츠