Error while granting permissions to datalake locations via CDK

Question

In CDK, I am registering a datalake location with the following code:

```
lakeformation.CfnResource(scope, "S3BucketRegistrationResource",
	    resource_arn="arn:aws:s3:::my-s3-bucket-here/my_db_folder_here/",
	    use_service_linked_role=True
	)
```

And also, grant permissions to a principal on that location, via:

```
    data_location = lakeformation.CfnPrincipalPermissions.DataLocationResourceProperty(
        catalog_id=Aws.ACCOUNT_ID,
        resource_arn="arn:aws:s3:::my-s3-bucket-here/my_db_folder_here/"
    )
    cfn_principal_permissions = lakeformation.CfnPrincipalPermissions(scope, "DatalakePrincipalPermissions",
        permissions=["DATA_LOCATION_ACCESS"],
        permissions_with_grant_option=["DATA_LOCATION_ACCESS"],
        principal=lakeformation.CfnPrincipalPermissions.DataLakePrincipalProperty(
            data_lake_principal_identifier=f"arn:aws:iam::my_acct_id_here:user/my_user_here"
        ),
        resource=lakeformation.CfnPrincipalPermissions.ResourceProperty(
            data_location=data_location
        ),
        catalog=Aws.ACCOUNT_ID
    )
```

When I try to deploy, the registering data location part goes well (it creates the registration entry)

But the grant permissions part yields this error:

```
CREATE_FAILED        | AWS::LakeFormation::PrincipalPermissions | DatalakePrincipalPermissions

6:27:34 PM | CREATE_FAILED        | AWS::LakeFormation::PrincipalPermissions | DatalakePrincipalPermissions
Resource handler returned message: "Resource does not exist or requester is not authorized to access requested permissions. (Service: LakeFormation, Status Code: 400, Request ID: b29f926b-5ab2-49ec-8bee-42bc8fbc12d8)" (RequestToken: 6cc21ec7-c67a-d4c1-c3f0-3af6b0a7451d, HandlerErrorCode: AccessDenied)

at FullCloudFormationDeployment.monitorDeployment (/usr/lib/node_modules/aws-cdk/lib/index.js:380:10236)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async deployStack2 (/usr/lib/node_modules/aws-cdk/lib/index.js:383:145775)
    at async /usr/lib/node_modules/aws-cdk/lib/index.js:383:128776
    at async run (/usr/lib/node_modules/aws-cdk/lib/index.js:383:126782)
```

When I do the same grant process manualy, directly at the AWS UI console, I have no problems with permissions, or the resource location (arn:aws:s3:::my-s3-bucket-here/my_db_folder_here/)

When run manually in their UI interface, I am also using the same user that is running the CDK code in my laptop (arn:aws:iam::my_acct_id_here:user/my_user_here)

Why would the same user and location have problems only via CDK? What would be the best way to troubleshoot this?

Accepted Answer

According to this page, the problem is that the cdk execution role is independent from the aws profile that runs it, and it needs to be set to  data lake administrator itself:

https://github.com/aws-samples/aws-glue-streaming-etl-with-apache-iceberg/blob/main/cdk_stacks/lakeformation_permissions.py

I set it that way in my app, as follows:

```
    cfn_data_lake_settings = lakeformation.CfnDataLakeSettings(scope, "DataLakeAccessSettings",
        admins=[lakeformation.CfnDataLakeSettings.DataLakePrincipalProperty(
            data_lake_principal_identifier=Fn.sub(scope.synthesizer.cloud_formation_execution_role_arn)
        )]
    )
```
That did post a datalake settings request to add the cdk role as an admin, but it produces a new error:

Resource of type 'AWS::LakeFormation::PrincipalPermissions' with identifier { ... }  did not stabilize.

Does anybody know what could be the cause of this? or how to troubleshoot it?

Error while granting permissions to datalake locations via CDK

관련 콘텐츠