kherkeladze
commented
3 years ago It seems that documentation is outdated, since I've added TableWildcard: {}in CF template and it works
Closed BrianFanning closed 2 years ago
kherkeladze
commented
3 years ago It seems that documentation is outdated, since I've added TableWildcard: {}in CF template and it works
colonmelvin
commented
3 years ago I can confirm, I was also able to provision access to all tables. I've submitted a request to have the documentation updated, thanks @kherkeladze!
mt-rpranata
commented
3 years ago Hi @kherkeladze or @colonmelvin. When I have TableWildcard: {} in my CF, it does not work though. I have got this error:
Resource does not exist or requester is not authorized to access requested permissions. (Service: AWSLakeFormation; Status Code: 400; Error Code: AccessDeniedExceptionDo you mind posting an example of what was done?
colonmelvin
commented
3 years ago Hi @mt-rpranata, be sure you have grant permissions to the Glue database or Lake Formation administrator permissions. We used the follow CFT as a Terraform resource:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"databasepermissions": {
"Type": "AWS::LakeFormation::Permissions",
"Properties": {
"DataLakePrincipal": {
"DataLakePrincipalIdentifier" : "${aws_iam_role.service_role_glue.arn}"
},
"Permissions": [
"ALL"
],
"PermissionsWithGrantOption": [
"ALL"
],
"Resource": {
"DatabaseResource": {
"Name": "${element(split(":",aws_glue_catalog_database.glue_database.id),1)}"
}
}
},
"Metadata": {
"AWS::CloudFormation::Designer": {
"id": "a23487d6-a0f3-4787-94b1-6ce2cee3dd46"
}
}
},
"tablepermissions": {
"Type": "AWS::LakeFormation::Permissions",
"Properties": {
"DataLakePrincipal": {
"DataLakePrincipalIdentifier" : "${aws_iam_role.service_role_glue.arn}"
},
"Permissions": [
"ALL"
],
"PermissionsWithGrantOption": [
"ALL"
],
"Resource": {
"TableResource": {
"DatabaseName": "${element(split(":",aws_glue_catalog_database.glue_database.id),1)}",
"TableWildcard" : {}
}
}
}
}
}
}Thank you @colonmelvin! I almost dig my way down to the rabbit hole of custom resource and do it through manual API call 🤕
Even when I temporarily test with the relax glue:* and lakeformation:* permission on my role to all the resources, I did not have the grantable lake formation on CF Execute Role. After reading your comment to make sure I have all the permission, just to be safe, I added Grantable: Super on the CF Execute Role so it can grant permission to other users, then everything is hunky-dory.
One thing that I still wrap my head around is that even when I have
IAMAllowedPrincipals group on the Database permissionSuper grantable permission on the DatabaseI still need the Super grantable permission on ALL Tables for it to work. I don't need this if I specify a table name by the way 🤔
Anyway. Appreciated your help! 🙏
ramirek
commented
3 years ago I have just tested it. The feature is available. On the other hand, the cloudformation documentation is not up to date. To avoid this confusion, can you please update the documentation here please https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lakeformation-permissions-tablewildcard.html?
Thank you
aws-austin-lee
commented
2 years ago Thanks for bringing this to our attention and we apologize for the confusion. We have updated the docs.
TableWildcard is supported by SDK: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/lakeformation.html#LakeFormation.Client.grant_permissions
but is not available in CloudFormation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-lakeformation-permissions-tableresource.html#cfn-lakeformation-permissions-tableresource-name
Currently we are using CF custom resources to support this which is not ideal