By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

LakeFormation deployment with Terraform

0

I'm working on deploying to LakeFormation via Terraform. Specifically, granting data location access to a lambda role. I'm getting an error when the role/user I'm deploying with in Terraform isn't an admin on LakeFormation (I haven't tried playing around w/ granular policies on the caller yet). Has anyone come across the same issue and what was the resolution? The caller is a service user which is used by other groups across the org, so I would ideally like to avoid elevating any more of its permissions.

Configuration :

resource "aws_lakeformation_permissions" "datalake-permissions" {
  principal   = aws_iam_role.lambda-role.arn
  permissions = ["DATA_LOCATION_ACCESS"]

  data_location {
    arn = data.aws_s3_bucket.datalake-bucket.arn
  }
}

This is the error : error creating Lake Formation Permissions (input: { Permissions: ["DATA_LOCATION_ACCESS"], Principal: { DataLakePrincipalIdentifier: "arn:aws:iam::{account_id}:role/lambda_role" }, Resource: { DataLocation: { ResourceArn: "arn:aws:s3:::{my-bucket}" } } }): AccessDeniedException: Resource does not exist or requester is not authorized to access requested permissions.

Also made sure the bucket exists and isn't an issue.

Topics
Security, Identity, & ComplianceManagement & GovernanceAnalytics
Tags
AWS Identity and Access ManagementAWS CloudFormationAWS Lake Formation
Language
English
rePost-User-2749379
asked a year ago296 views
1 Answer
1

Hello,

I see you’re getting AccessDeniedException when you’re trying to create a resource of “aws_lakeformation_permissions” using Terraform script. It seems the IAM role/user which is used to create this resource doesn’t have the required permissions to create the Lake Formation Permissions.

As you might know that all principals, including the data lake administrator, need the following AWS Identity and Access Management (IAM) permissions to grant or revoke AWS Lake Formation Data Catalog permissions or data location permissions with the Lake Formation API or the AWS CLI:

————

  • -> lakeformation:GrantPermissions
  • -> lakeformation:BatchGrantPermissions
  • -> lakeformation:RevokePermissions
  • -> lakeformation:BatchRevokePermissions
  • -> glue:GetTable or glue:GetDatabase for a table or database that you're granting permissions on with the named resource method

————

You can find more details on the documentation: https://docs.aws.amazon.com/lake-formation/latest/dg/required-permissions-for-grant.html

I would suggest you to try giving the above permissions mentioned in the documentation to the role/user which is being used by the Terraform script to create the resources.

If you still get the error, then I would suggest you to open a support case with AWS for further troubleshooting. You can use the following link for the same: https://support.console.aws.amazon.com/support/home#/case/create

AWS
SUPPORT ENGINEER
Jaykumar_D
answered a year ago
AWS
EXPERT
Fabrizio@AWS
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content