Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Glue Role got S3 Access Denied when writing to underlying S3 data in Lake Formation

0

Hello, I have an ETL workflow and keep getting S3 Access Denied when the Glue Role write a data frame to a destination S3 bucket (registered in Lake Formation). Here is my current setup. Does Lake Formation vend credentials to the Glue Role for writing permission to S3? How to let the Glue Role write to S3 via Lake Formation?

  • Registered a S3 bucket to Lake Formation
  • Grant Data Location to the Glue Role
  • Grant Lake Formation Permissions (ALL) to the Glue Role
  • Attach AWSGlueServiceRole policy to the Glue Role
  • Attach an inline policy below to the Glue Role
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:GetRole",
                "iam:PassRole",
                "lakeformation:GetDataAccess",
                "lakeformation:GrantPermissions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::amazon-reviews-pds",
                "arn:aws:s3:::amazon-reviews-pds/*"
            ],
            "Effect": "Allow"
        }
    ]
}
Tópicos
Análise
Tags
AWS GlueAWS Lake Formation
Idioma
English
hai
feita há um ano582 visualizações
2 Respostas
0
Resposta aceita

Eventually, I found out that I use incorrect writing method in this case

  • Correct method: glueContext.write_dynamic_frame.from_catalog
  • Incorrect method: glueContext.write_dynamic_frame.from_option

Quoted from docs

Writes a DynamicFrame using the specified catalog database and table name.

docs

hai
respondido há um ano
0

Once you register a location to be managed by LakeFormation, you should not use s3 permissions to handle it since it.
Now any client API trying to access that table needs to be LakeFormation away in order to be able to use the delegated access permissions, for instance DynamicFrame is able write into such table but not if you write directly to s3 or you use DataFrame.

profile pictureAWS
ESPECIALISTA
Gonzalo Herreros
respondido há um ano
  • hai
    há um ano

    The amazon-reviews-pds bucket is data source which is a publicly available. My lake (destination bucket) permissions not written in the policy and grant permissions via Lake Formation.

    Actually, if both IAM and Lake Formation grants permission, the the Glue Role is still able to write to S3, but it is not best practice.

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante