search

aws-samples / aws-data-mesh-utils

Apache License 2.0
85 stars 22 forks source link

Recurring error for Consumer Account (lakeformation:GetDataLakeSettings) #22

Open TomEijk opened 1 year ago

TomEijk commented 1 year ago

Hi all!

For the consumer account, I don't know which policies should be applied for Lakeformation. This error pops up when I apply too many policies on this account:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:GetDataLakeSettings" ], "Resource": "*" } ] }

File "C:\Users\Anaconda3\lib\site-packages\data_mesh_util\DataMeshAdmin.py", line 381, in _initialize_account_as self._automator.assert_is_data_lake_admin( File "C:\Users\64324\Anaconda3\lib\site-packages\data_mesh_util\lib\ApiAutomator.py", line 668, in assert_is_data_lake_admin raise Exception(f"Principal {principal} is not Data Lake Admin") Exception: Principal arn:aws:iam::[ACCOUNT_ID]:user/Consumer is not Data Lake Admin

However, when I apply too little policies (removing the above policy), another error pops up:

botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the GetDataLakeSettings operation: User: arn:aws:iam::[ACCOUNT_ID]:user/AwsDataMesh/DataMeshProducer is not authorized to perform: lakeformation:GetDataLakeSettings on resource: arn:aws:lakeformation:us-east-1:[ACCOUNT_ID]:catalog:[ACCOUNT_ID] because no identity-based policy allows the lakeformation:GetDataLakeSettings action

Even when I use the DataMeshProducer user generated by the DataMeshManager I get this (second) error. And when I manually add lakeformation:GetDataLakeSettings to the permissions of my user, the first error returns.

Could you help me getting the right policy structure for the consumer account in this repo?

Kind regards,

Tom

IanMeyers commented 1 year ago

Can you please advise on what operation you are trying to perform relative to this issue? Strictly speaking, only the DataMeshManagerRole needs to be DataLakeAdmin, and then producer and consumer roles assume this role to perform the required tasks needed.

TomEijk commented 1 year ago

Hi IanMeyers,

Yes I was trying to run Step 1.2: Enable an AWS Account as a Consumer. That script returned these errors.

IanMeyers commented 1 year ago

OK - cool. Can you please paste the command that you are running and the output trace here so I can see the full set?