search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 54 forks source link

AWS::LakeFormation::Permissions DataLocationResource::S3Resource #1302

Closed hrvining closed 1 year ago

hrvining commented 1 year ago

Name of the resource

AWS::LakeFormation::Permissions

Resource name

No response

Description

DataLocationResource:S3Resource is not supported in CloudFormation as per the docs (refer to link below). May we add support for S3Resource for DataLocationResource. With our current LakeFormation Permission setup for DataLocationAccess Permission in Typescript -

const permissionDataLocationAccess = new lakeformation.CfnPermissions(
            this,
           "{StackId}",
            {
                dataLakePrincipal: {
                    dataLakePrincipalIdentifier: "{AWS Glue Arn}",
                },
                resource: {
                    dataLocationResource: {
                        s3Resource: "{S3 Resource Arn}",
                    },
                },
                permissions: ["DATA_LOCATION_ACCESS"],
            },
        );

we receive the following error:

Resource does not exist or requester is not authorized to access requested permissions. (Service: AWSLakeFormation; Status Code: 400; Error Code: AccessDeniedException; Request ID: {..RequestID..}; Proxy: null)

We're assuming this is related to S3Resource not being supported by CloudFormation.

Other Details

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lakeformation-permissions-datalocationresource.html

aws-gclend commented 1 year ago

Hello,

The docs referenced are a little out-of-date. There is a newer version of AWS::LakeFormation::Permissions named AWS::LakeFormation::PrincipalPermissions which I'd encourage you to consider using instead since it has some functionality improvements and the documentation is far more recent and thorough. I've included the link for that below.

However, for this particular issue, s3Resource should currently be supported by the AWS::LakeFormation::Permissions resource and the error message you're seeing (Resource does not exist or requester is not authorized to access requested permissions) is indicating the CloudFormation resource is behaving correctly but the response from the underlying GrantPermissions request is getting an AccessDeniedException from the LakeFormation service.

This likely means a missing setup step required in LakeFormation prior to granting this permissions, such as registering the location, or making the granting role a DataLakeAdmin or providing it with Grantable permissions for that location.

Additional Information https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lakeformation-principalpermissions.html https://docs.aws.amazon.com/lake-formation/latest/dg/granting-location-permissions.html