Amazon DataZone: AddPolicyGrant / ListPolicyGrants rejects ENVIRONMENT_BLUEPRINT_CONFIGURATION identifier — what is the correct format?

Question

## Amazon DataZone: `AddPolicyGrant` / `ListPolicyGrants` rejects `ENVIRONMENT_BLUEPRINT_CONFIGURATION` identifier — what is the correct format?

I’m working with **Amazon DataZone (domainVersion = V2)** in the context of **SageMaker Unified Studio** and trying to programmatically manage **delegated permissions on environment blueprint configurations** (the same permissions shown in the Console under *Blueprint → Authorization → Authorized domain units*).

---

## Goal

Programmatically add or list policy grants that allow domain units to delegate environment creation from a **blueprint configuration**, equivalent to what the Console UI supports.

---

## Environment

- **Service:** Amazon DataZone  
- **Domain identifier:** `dzd-ABCDEFGH`  
- **Domain version:** V2 (Unified Studio)  
- **Region:** `us-east-1`  
- **CLI:** AWS CLI v2  
- **Entity type:** `ENVIRONMENT_BLUEPRINT_CONFIGURATION`  
- **Policy type:** `DELEGATE_CREATE_ENVIRONMENT_PROFILE`

---

## What works

The blueprint configuration **exists** and is retrievable:

```
aws datazone get-environment-blueprint-configuration \
  --domain-identifier dzd-ABCDEFGH \
  --environment-blueprint-identifier  \
  --region us-east-1
```

This returns a valid configuration object containing `domainId` and `environmentBlueprintId`.

Other DataZone policy grants (for example, `DOMAIN_UNIT` grants using `CREATE_PROJECT_FROM_PROJECT_PROFILE`) work as expected in this domain.

---

## What does *not* work

### Attempt 1: CloudFormation-style identifier (`domainId|blueprintId`)

```
aws datazone add-policy-grant \
  --domain-identifier dzd-ABCDEFGH \
  --entity-type ENVIRONMENT_BLUEPRINT_CONFIGURATION \
  --entity-identifier dzd-ABCDEFGH| \
  --policy-type DELEGATE_CREATE_ENVIRONMENT_PROFILE \
  --principal '{"domainUnit":{"domainUnitDesignation":"OWNER","domainUnitGrantFilter":{"allDomainUnitsGrantFilter":{}}}}' \
  --detail '{"delegateCreateEnvironmentProfile":{}}' \
  --region us-east-1
```

**Result:**
```
ValidationException: Format of EnvironmentBlueprintConfigurationId is invalid.
```

---

### Attempt 2: Blueprint ID only

```
--entity-identifier 
```

Same validation error.

---

### Attempt 3: Terraform-style composite

```
--entity-identifier dzd-ABCDEFGH/
```

Same validation error.

---

### Attempt 4: Listing grants (read-only)

```
aws datazone list-policy-grants \
  --domain-identifier dzd-ABCDEFGH \
  --entity-type ENVIRONMENT_BLUEPRINT_CONFIGURATION \
  --entity-identifier dzd-ABCDEFGH| \
  --policy-type DELEGATE_CREATE_ENVIRONMENT_PROFILE \
  --region us-east-1
```

Same validation error.

All requests were verified using `--debug` to confirm correct URL encoding (e.g., `|` → `%7C`).

---

## Observations

- `GetEnvironmentBlueprintConfiguration` succeeds but does **not** return any standalone `EnvironmentBlueprintConfigurationId`.
- `list-environment-blueprints` returns an empty list in this Unified Studio domain.
- The **Console UI** successfully manages “Authorized domain units” for the same blueprint.
- Both `AddPolicyGrant` and `ListPolicyGrants` reject **all publicly derivable identifier formats**.

---

**What is the correct identifier format for `ENVIRONMENT_BLUEPRINT_CONFIGURATION` when calling `AddPolicyGrant` or `ListPolicyGrants`?**

Or alternatively:

- Is this entity type **not supported** for policy grants via the public DataZone API in **domainVersion = V2**?
- Are blueprint delegated permissions currently **console-only**, backed by internal APIs not exposed via AWS CLI / SDK / CloudControl / Terraform?

Any clarification on the expected identifier format or official support status would be appreciated.

re:Post Agent · Answer

Based on the available documentation, the `ENVIRONMENT_BLUEPRINT_CONFIGURATION` entity type is listed as a valid option for both `add-policy-grant` and `list-policy-grants` commands in Amazon DataZone. However, the documentation does not provide explicit guidance on the correct identifier format for this specific entity type.

The validation error you're encountering ("Format of EnvironmentBlueprintConfigurationId is invalid") suggests that none of the standard identifier patterns are being accepted by the API, despite the entity type being documented as supported.

Given that:
1. The `GetEnvironmentBlueprintConfiguration` API successfully retrieves the configuration using the domain identifier and environment blueprint identifier as separate parameters
2. The configuration object returned does not include a standalone `EnvironmentBlueprintConfigurationId` field
3. All common identifier format patterns (pipe-separated, slash-separated, and single identifier) are being rejected
4. The Console UI successfully manages these permissions

This appears to be either:
- A gap in the public API implementation where the entity type is documented but not fully supported for policy grant operations in Domain Version V2 (Unified Studio)
- An undocumented identifier format that differs from standard patterns used for other DataZone entities

I recommend contacting AWS Support to clarify:
1. Whether `ENVIRONMENT_BLUEPRINT_CONFIGURATION` policy grants are fully supported via the public API in Domain Version V2
2. The correct identifier format if it is supported
3. Whether there are any known limitations or differences between Console capabilities and API capabilities for blueprint configuration policy grants in Unified Studio domains

The fact that the Console can manage these permissions while the API rejects all identifier formats suggests this may be a feature that is not yet fully exposed through the public API surface.  
**Sources**  
[add-policy-grant — AWS CLI 2.27.41 Command Reference](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/datazone/add-policy-grant.html)  
[list-policy-grants — AWS CLI 2.27.41 Command Reference](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/datazone/list-policy-grants.html)

Amazon DataZone: AddPolicyGrant / ListPolicyGrants rejects ENVIRONMENT_BLUEPRINT_CONFIGURATION identifier — what is the correct format?

Amazon DataZone: `AddPolicyGrant` / `ListPolicyGrants` rejects `ENVIRONMENT_BLUEPRINT_CONFIGURATION` identifier — what is the correct format?

Goal

Environment

What works

What does not work

Attempt 1: CloudFormation-style identifier (`domainId|blueprintId`)

Attempt 2: Blueprint ID only

Attempt 3: Terraform-style composite

Attempt 4: Listing grants (read-only)

Observations

Add your answer

Relevant content

Amazon DataZone: AddPolicyGrant / ListPolicyGrants rejects ENVIRONMENT_BLUEPRINT_CONFIGURATION identifier — what is the correct format?

Amazon DataZone: AddPolicyGrant / ListPolicyGrants rejects ENVIRONMENT_BLUEPRINT_CONFIGURATION identifier — what is the correct format?

Goal

Environment

What works

What does not work

Attempt 1: CloudFormation-style identifier (domainId|blueprintId)

Attempt 2: Blueprint ID only

Attempt 3: Terraform-style composite

Attempt 4: Listing grants (read-only)

Observations

Add your answer

Relevant content

Amazon DataZone: `AddPolicyGrant` / `ListPolicyGrants` rejects `ENVIRONMENT_BLUEPRINT_CONFIGURATION` identifier — what is the correct format?

Attempt 1: CloudFormation-style identifier (`domainId|blueprintId`)