search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 57 forks source link

AWS::LakeFormation::PrincipalPermissions fails but permissions are granted #1323

Closed AKoetsier closed 1 year ago

AKoetsier commented 2 years ago

Name of the resource

Other

Resource Name

AWS::LakeFormation::PrincipalPermissions

Issue Description

Cloudformation returns an error when granting multiple permissions in LakeFormation to a principal. The message from the events is:

Resource handler returned message: "null" (RequestToken: xxxxxxx, HandlerErrorCode: InternalFailure)

After this error cloudformation assumes the permissions have not been granted and rolls back the rest of the stack. However looking at cloudtrail the GrantPermission call was successful and the request indeed returned "null" (which is correct according to the docs).

The strange thing is that granting a single permission works correctly.

Expected Behavior

When GrantPermissions doesn't return an error it should be considered successful in cloudformation.

Observed Behavior

Cloudformation fails on creation and stops the deployment. However permissions are actually created and not revoked (since it was assumed creation failed in the first place).

Test Cases

This template triggers the issue:

AWSTemplateFormatVersion: 2010-09-09
Resources:
    TestRole:
        Type: AWS::IAM::Role
        Properties:
          AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Principal:
                  AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
                Action:
                  - 'sts:AssumeRole'

    TestTag:
        Type: AWS::LakeFormation::Tag
        Properties: 
            CatalogId: !Ref AWS::AccountId
            TagKey: CfnTag
            TagValues: 
                - CfnVal1
                - CfnVal2

    TestPermission:
        Type: AWS::LakeFormation::PrincipalPermissions
        Properties: 
          Permissions: 
            - ASSOCIATE
            - DESCRIBE
          PermissionsWithGrantOption: 
            - ASSOCIATE
            - DESCRIBE
          Principal: 
            DataLakePrincipalIdentifier: !GetAtt TestRole.Arn
          Resource: 
            LFTag: 
              CatalogId: !Ref AWS::AccountId
              TagKey: !Ref TestTag
              TagValues: 
                - "*"

Other Details

No response

aws-gclend commented 2 years ago

Hello,

I have just made a commit to fix this particular issue and we're in the process of validating and expect to begin releasing the fix starting early next week.

There was an issue with the handling of the ListPermissions response when more than one permission was granted for this particular resource type because the ASSOCIATE and DESCRIBE permissions were split into two records that needed to be merged back together. In the meantime, just granting ASSOCIATE or DESCRIBE should be viable and I believe ASSOCIATE also give the DESCRIBE permission implicitly as a workaround for the same effective permissions.

aws-kaushal-partani commented 1 year ago

This change should have been deployed out. Could you confirm if the behavior has been fixed?