[BUG] Not able to cdk deploy . Error Insufficient Lake Formation permission(s): Required Create Database on Catalog (Service: AWSGlue; Status Code: 400

[vishallakhotia]

Describe the bug

Filling out this field will help us investigate the issue efficiently. Providing detailed information allows us to set the appropriate priority. We appreciate your cooperation.
I created an amazon linux 2023 instance and installed docker, npm, cdk etc. I am trying to do a cdk deploy with the latest code . The "cdk bootstrap aws:///us-east-1" ( with the right 12 digit value of the ACCOUNT_ID subsituted) runs fine However "cdk deploy --require-approval never --all" errors out

7:29:24 PM | CREATE_FAILED | AWS::Glue::Database | UsageAnalysisDatabase203EEF4F Insufficient Lake Formation permission(s): Required Create Database on Catalog (Service: AWSGlue; Status Code: 400; Error Code: AccessDeniedException; Request ID: 1ddc191c-b7c8-4f5b-a035-7da398c28263; Proxy: null)

To Reproduce

Filling out this field will help us investigate the issue efficiently. Providing detailed information allows us to set the appropriate priority. We appreciate your cooperation.
Steps to reproduce the behavior:

1. check out the latest code
2. run the commands as listed in the "Deploy with CDK " section
3. There is no mention of that lakeformation should be activated anywhere in the notes
4. In my account LakeFormation is already activated in us-east-1.
5. I added the role used in the ec2-instance is added as an LakeFormation administrator with permission to create database as well as data lake administrator.
6. I got the error
   7:29:24 PM | CREATE_FAILED | AWS::Glue::Database | UsageAnalysisDatabase203EEF4F Insufficient Lake Formation permission(s): Required Create Database on Catalog (Service: AWSGlue; Status Code: 400; Error Code: AccessDeniedException; Request ID: 1ddc191c-b7c8-4f5b-a035-7da398c28263; Proxy: null)

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

[vishallakhotia]

To overcome this error from cloudtrail , i found the eventname="createdatabase" and found the userName = cdk-hnb659fds-cfn-exec-role-ACCOUNT_ID-us-east-1 . Then I added that to the LakeFormation permissions for cdk-hnb659fds-cfn-exec-role-ACCOUNT_ID-us-east-1 as a database creator and it allowed the deployment to continue.

[statefb]

In my account LakeFormation is already activated in us-east-1.

As you mentioned, this looks like the root cause. Doc says:

The user/role must be a data lake administrator.

cdk-hnb659fds-cfn-exec-role-ACCOUNT_ID-us-east-1

This role is used to provision resources on your account, so your workaround looks reasonable.

[vishallakhotia]

There are 2 options #1. update the instruction to just add this user as a data lake administrator and retry

2. split the cdk deploy into 2 segments where the user "cdk-hnb659fds-cfn-exec-role-ACCOUNT_ID-us-east-1" is created in 1st segment and add a step in between where user has to add it manually and then run the 2nd part of the cdk deployment.

[github-actions[bot]]

This issue has been labeled as "stale" due to no response by the reporter within 1 month (and 14 days after last commented by someone). And it will be closed automatically 14 days later if not responded.

[statefb]

@vishallakhotia Thank you for detailed workaround. Let us close this issue as open another issue (#503) to describe this procedure you mentioned.