TechQA.

AWS Lake formation Granting Permission to Linked Resource

793 views Asked by At

I am attempting to grant permission on a linked resource to a role within the same account as my Data Lake Admin role. But, I'm not seeing any changes after I Grant.

Here are details on the setup:

  • There's a producer account and consumer account. I am the consumer account
  • Producer has shared database with consumer account
  • In consumer account:
    • Add "admin-role" as Data Lake Administrator
    • In Lake Formation console: Databases > Create Database > select "Resource Link" > Resource link name: database_link > Shared Database: type in databasename from producer account (producer database did not populate in the list) > Shared database's owner ID: key in producer account id
    • Grant permission to another role in the same account as the consumer, but this role IS NOT a member of Data Lake Administrator. This role is a business user role, let's call it "business-role"
      • In Lake Formation Console: Data lake permissions > Grant > IAM users and roles > select the "business-role" > Named data catalog resources > Database: in drop down, select the resource link database > Tables: All tables > Table permissions: Select, Describe > Grant

At this point, when I search for the "business-role" in Data lake permissions pane, I would expect a row that confirms access has been granted for that role to all tables like the following: enter image description here

But, I have tried over and over again, for some reason the grant is not sticking. Although, I am seeing confirmation that permission has been added.

I have also tried using CLI command:

  • This is the command: aws lakeformation grant-permissions --cli-input-json file://lf_permissions.json
  • This is the content of the json:
`{
    "CatalogId": "consumer-account-id",
    "Principal": {
        "DataLakePrincipalIdentifier": "arn:aws:iam::consumer-account-id:role/business-role"
    },
    "Resource": {
        "Table": {
            "CatalogId": "consumer-account-id",
            "DatabaseName": "database_link",
            "TableWildcard": {}
        }
    },
    "Permissions": [
        "SELECT"
    ],
    "PermissionsWithGrantOption": []
}`

This executed without any error. But, still when I list-permissions or view in the console, I don't see anything.

I'm hoping someone has any other ideas I can try. Thank you!

amazon-web-services aws-cli aws-lake-formation
Original Q&A
1

There are 1 answers

1
trimbljk On

I think I can help here. I may have missed it but what are the privileges granted to the Admin user on the consumer account? For one thing, I have found there is an issue with Lake Formation console, many times I am missing permissions and have to query each table separately to find the permissions I recently granted. You can query for them by using boto3 in python or whatever coding language sdk you like. Something like this:

resp = lf.list_permissions(
            Principal={
                'DataLakePrincipalIdentifier': rolearn
            },
            Resource={
                'Table': {
                    'DatabaseName': database,
                    'Name': table
                }
            }
        )['PrincipalResourcePermissions']

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AWS-CLI

Related Questions in AWS-LAKE-FORMATION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions