使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Error while granting permissions to datalake locations via CDK

0

In CDK, I am registering a datalake location with the following code:

lakeformation.CfnResource(scope, "S3BucketRegistrationResource",
	    resource_arn="arn:aws:s3:::my-s3-bucket-here/my_db_folder_here/",
	    use_service_linked_role=True
	)

And also, grant permissions to a principal on that location, via:

    data_location = lakeformation.CfnPrincipalPermissions.DataLocationResourceProperty(
        catalog_id=Aws.ACCOUNT_ID,
        resource_arn="arn:aws:s3:::my-s3-bucket-here/my_db_folder_here/"
    )
    cfn_principal_permissions = lakeformation.CfnPrincipalPermissions(scope, "DatalakePrincipalPermissions",
        permissions=["DATA_LOCATION_ACCESS"],
        permissions_with_grant_option=["DATA_LOCATION_ACCESS"],
        principal=lakeformation.CfnPrincipalPermissions.DataLakePrincipalProperty(
            data_lake_principal_identifier=f"arn:aws:iam::my_acct_id_here:user/my_user_here"
        ),
        resource=lakeformation.CfnPrincipalPermissions.ResourceProperty(
            data_location=data_location
        ),
        catalog=Aws.ACCOUNT_ID
    )

When I try to deploy, the registering data location part goes well (it creates the registration entry)

But the grant permissions part yields this error:

CREATE_FAILED        | AWS::LakeFormation::PrincipalPermissions | DatalakePrincipalPermissions

6:27:34 PM | CREATE_FAILED        | AWS::LakeFormation::PrincipalPermissions | DatalakePrincipalPermissions
Resource handler returned message: "Resource does not exist or requester is not authorized to access requested permissions. (Service: LakeFormation, Status Code: 400, Request ID: b29f926b-5ab2-49ec-8bee-42bc8fbc12d8)" (RequestToken: 6cc21ec7-c67a-d4c1-c3f0-3af6b0a7451d, HandlerErrorCode: AccessDenied)

    at FullCloudFormationDeployment.monitorDeployment (/usr/lib/node_modules/aws-cdk/lib/index.js:380:10236)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async deployStack2 (/usr/lib/node_modules/aws-cdk/lib/index.js:383:145775)
    at async /usr/lib/node_modules/aws-cdk/lib/index.js:383:128776
    at async run (/usr/lib/node_modules/aws-cdk/lib/index.js:383:126782)

When I do the same grant process manualy, directly at the AWS UI console, I have no problems with permissions, or the resource location (arn:aws:s3:::my-s3-bucket-here/my_db_folder_here/)

When run manually in their UI interface, I am also using the same user that is running the CDK code in my laptop (arn:aws:iam::my_acct_id_here:user/my_user_here)

Why would the same user and location have problems only via CDK? What would be the best way to troubleshoot this?

主題
管理與治理分析儲存空間AWS 雲端開發套件 (CDK)
標籤
AWS CloudFormation資料湖AWS 雲端開發套件 (CDK)
語言
English
ramiro
已提問 1 年前檢視次數 468 次
1 個回答
0
已接受的答案

According to this page, the problem is that the cdk execution role is independent from the aws profile that runs it, and it needs to be set to data lake administrator itself:

https://github.com/aws-samples/aws-glue-streaming-etl-with-apache-iceberg/blob/main/cdk_stacks/lakeformation_permissions.py

I set it that way in my app, as follows:

    cfn_data_lake_settings = lakeformation.CfnDataLakeSettings(scope, "DataLakeAccessSettings",
        admins=[lakeformation.CfnDataLakeSettings.DataLakePrincipalProperty(
            data_lake_principal_identifier=Fn.sub(scope.synthesizer.cloud_formation_execution_role_arn)
        )]
    )

That did post a datalake settings request to add the cdk role as an admin, but it produces a new error:

Resource of type 'AWS::LakeFormation::PrincipalPermissions' with identifier { ... } did not stabilize.

Does anybody know what could be the cause of this? or how to troubleshoot it?

ramiro
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容