In CDK, I am registering a datalake location with the following code:
lakeformation.CfnResource(scope, "S3BucketRegistrationResource",
resource_arn="arn:aws:s3:::my-s3-bucket-here/my_db_folder_here/",
use_service_linked_role=True
)
And also, grant permissions to a principal on that location, via:
data_location = lakeformation.CfnPrincipalPermissions.DataLocationResourceProperty(
catalog_id=Aws.ACCOUNT_ID,
resource_arn="arn:aws:s3:::my-s3-bucket-here/my_db_folder_here/"
)
cfn_principal_permissions = lakeformation.CfnPrincipalPermissions(scope, "DatalakePrincipalPermissions",
permissions=["DATA_LOCATION_ACCESS"],
permissions_with_grant_option=["DATA_LOCATION_ACCESS"],
principal=lakeformation.CfnPrincipalPermissions.DataLakePrincipalProperty(
data_lake_principal_identifier=f"arn:aws:iam::my_acct_id_here:user/my_user_here"
),
resource=lakeformation.CfnPrincipalPermissions.ResourceProperty(
data_location=data_location
),
catalog=Aws.ACCOUNT_ID
)
When I try to deploy, the registering data location part goes well (it creates the registration entry)
But the grant permissions part yields this error:
CREATE_FAILED | AWS::LakeFormation::PrincipalPermissions | DatalakePrincipalPermissions
6:27:34 PM | CREATE_FAILED | AWS::LakeFormation::PrincipalPermissions | DatalakePrincipalPermissions
Resource handler returned message: "Resource does not exist or requester is not authorized to access requested permissions. (Service: LakeFormation, Status Code: 400, Request ID: b29f926b-5ab2-49ec-8bee-42bc8fbc12d8)" (RequestToken: 6cc21ec7-c67a-d4c1-c3f0-3af6b0a7451d, HandlerErrorCode: AccessDenied)
at FullCloudFormationDeployment.monitorDeployment (/usr/lib/node_modules/aws-cdk/lib/index.js:380:10236)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async deployStack2 (/usr/lib/node_modules/aws-cdk/lib/index.js:383:145775)
at async /usr/lib/node_modules/aws-cdk/lib/index.js:383:128776
at async run (/usr/lib/node_modules/aws-cdk/lib/index.js:383:126782)
When I do the same grant process manualy, directly at the AWS UI console, I have no problems with permissions, or the resource location (arn:aws:s3:::my-s3-bucket-here/my_db_folder_here/)
When run manually in their UI interface, I am also using the same user that is running the CDK code in my laptop (arn:aws:iam::my_acct_id_here:user/my_user_here)
Why would the same user and location have problems only via CDK? What would be the best way to troubleshoot this?