GlueJobRunnerSession is not authorized to perform: lakeformation:GetDataAccess on resource

Question

I am trying to use glueContext.purge_table function in my aws glue job. Whenever the job is executed it throws the following error:

An error occurred while calling o82.purgeTable.
: java.lang.RuntimeException: class com.amazonaws.services.gluejobexecutor.model.AccessDeniedException:User: arn:aws:sts::012345678:assumed-role/XYZ/GlueJobRunnerSession is not authorized to perform: lakeformation:GetDataAccess on resource: arn:aws:glue:us-east-1:MICHIGAN_DEFAULT_CATALOG_ID_RANDOMIZED:table/database/table (Service: AWSLakeFormation; Status Code: 400; Error Code: AccessDeniedException; Request ID: 25829fe6-2a10-430a-b050-023c13bcc8ce; Proxy: null) (Service: AWSGlueJobExecutor; Status Code: 400; Error Code: AccessDeniedException; Request ID: ed60ddfa-8263-486a-b9f6-1dd57cbfd9bd; Proxy: null)

The following policies have been attached with the role:

Any help would be highly appreciated.

Answer 1

Just to add some clarity on this, you need to add AWSLakeFormationDataAdmin policy to the IAM role that you are using to run your Glue job.

Also, on the Lake Formation side, you need to make sure that the above principal (IAM role) has data lake permission to access the Glue metadata tables of the data catalog.

Answer 2

You also need to provide full LakeFormation access to your job role, since it seems you have LakeFormation active.