Reputation: 41
Error while granting permissions to datalake locations via CDK
In CDK, I am registering a datalake location with the following code:
lakeformation.CfnResource(scope, "S3BucketRegistrationResource",
resource_arn="arn:aws:s3:::my-s3-bucket-here/my_db_folder_here/",
use_service_linked_role=True
)
And also, grant permissions to a principal on that location, via:
data_location = lakeformation.CfnPrincipalPermissions.DataLocationResourceProperty(
catalog_id=Aws.ACCOUNT_ID,
resource_arn="arn:aws:s3:::my-s3-bucket-here/my_db_folder_here/"
)
cfn_principal_permissions = lakeformation.CfnPrincipalPermissions(scope, "DatalakePrincipalPermissions",
permissions=["DATA_LOCATION_ACCESS"],
permissions_with_grant_option=["DATA_LOCATION_ACCESS"],
principal=lakeformation.CfnPrincipalPermissions.DataLakePrincipalProperty(
data_lake_principal_identifier=f"arn:aws:iam::my_acct_id_here:user/my_user_here"
),
resource=lakeformation.CfnPrincipalPermissions.ResourceProperty(
data_location=data_location
),
catalog=Aws.ACCOUNT_ID
)
When I try to deploy, the registering data location part goes well (it creates the registration entry)
But the grant permissions part yields this error:
CREATE_FAILED | AWS::LakeFormation::PrincipalPermissions | DatalakePrincipalPermissions 6:27:34 PM | CREATE_FAILED | AWS::LakeFormation::PrincipalPermissions | DatalakePrincipalPermissions Resource handler returned message: "Resource does not exist or requester is not authorized to access requested permissions. (Service: LakeFormation, Status Code: 400, Request ID: b29f926b-5ab2-49ec-8bee-42bc8fbc12d8)" (RequestToken: 6cc21ec7-c67a-d4c1-c3f0-3af6b0a7451d, HandlerErrorCode: AccessDenied) at FullCloudFormationDeployment.monitorDeployment (/usr/lib/node_modules/aws-cdk/lib/index.js:380:10236) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async deployStack2 (/usr/lib/node_modules/aws-cdk/lib/index.js:383:145775) at async /usr/lib/node_modules/aws-cdk/lib/index.js:383:128776 at async run (/usr/lib/node_modules/aws-cdk/lib/index.js:383:126782)
Why would I have permissions problems via CDK only? what would be the best way to troubleshoot this?
When I do the same grant process manualy, directly at the AWS UI console, I have no problems with permissions, or the resource location
When run manually in their UI interface, I am also using the same user that is running the CDK code in my laptop.
Upvotes: 1
Views: 760
Answers (1)
Reputation: 39
This is authorization issue. I think the role with which you are trying to run cdk is not lakeformation admin.
Upvotes: 0
Related Questions
- What IAM permissions are needed to use CDK Deploy?
- How to import existing lambda from arn and add SQS as event source? Amplify
- Why is it recommended to manually provision pre-existing secrets in AWS SecretsManager as opposed via CDK/Cloudformation?
- use aws `cdk synth` output via cloudformation
- Create condition while creating a subscription in CDK
- determine required permissions for AWS CDK
- Cross-Stack Lambda and API Gateway Permissions with AWS-CDK