By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

DataZone: consuming data in associated account fails

0

Hi,

I am testing Amazon DataZone features and therefore set up a domain together with another associated account. I enabled the DataLake blueprint in both accounts. I have 2 projects (producer, consumer), each with an environment (one in the main account, one in the associated account). Then I created a crawler that populated the project 1 pub DB with a Glue table (named customers). So far, so good. I was also able to publish the table to the DataZone catalog and request access from the project 2 (in the associated account). Now comes the issue: when I grant access to the asset for project 2 it gets added to the environment in project 2. But that fails with the following error: Encountered Authorization Failure(s): Insufficient Glue permissions to access table customers. What permissions are necessary in addition to be able to add the asset to the environment in the associated account?

Topics
Security, Identity, & ComplianceAnalytics
Tags
AWS Resource Access ManagerAWS GlueAWS Lake FormationAmazon DataZone
Language
English
profile picture
Wolfgang
asked 11 days ago78 views
2 Answers
0
Accepted Answer

Since I am setting up my deployment with Terraform, I was able to tear it down and bring it back up again. On this second try the sharing between accounts worked immediately. The difference I can see compared to before is that there are AWS RAM resource shares that were not there before. I think these shares are what enable the consumer account to establish a connection to the producer Glue table. I am not quite sure why it didn't work in the beginning but at least it is solved for now! Thanks for your message!

profile picture
Wolfgang
answered 10 days ago
0

Hi Wolfman,

When managing AWS Glue and cross-account access, it's crucial to equip the consumer project's IAM role with the necessary permissions. At minimum, ensure your IAM role includes:

  • glue:GetTable
  • glue:GetDatabase

ℹ️ Additionally, consider attaching a resource-based policy directly to the Glue Database or the specific Glue Table to explicitly grant access to the other account. This step is key for facilitating smooth cross-account interactions.

💡 If you're unsure how to set up an IAM role for cross-account access, you can check out this brief tutorial: link to AWS IAM tutorial.

profile picture
EXPERT
Osvaldo Marte
answered 11 days ago
  • Wolfgang
    10 days ago

    Hi Osvaldo,

    I temporarily added the policy

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "glue:*",
            "Resource": "*"
        }
    ]
}

    to the Consumer environment's IAM role. You mentioned the project's IAM role but I think there is no such role, only for an environment. Is that what you mean?

    I also granted SELECT/DESCRIBE permissions in LakeFormation for the Consumer account to the Producer account's Glue database (pub) and the tables.

    Still no success in adding (or removing) the asset. The Glue database in LakeFormation also shows two times FAILED in the "Cross-account access to all tables" section even though granting the permissions said "successful".

    I have also tried adding the following resource-based policy to Glue:

    {
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam::<consumer-account>:root"
    },
    "Action" : "glue:*",
    "Resource" : "arn:aws:glue:eu-central-1:<producer-account>:*"
  } ]
}

    That doesn't help, either.

    Any idea what is still missing? I think a cross-account sharing scenario should really be included in the DataZone documentation.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content