search

aws-solutions-library-samples / guidance-for-data-management-core-on-aws

The Data Fabric sample code focuses on the core data fabric implementation on AWS, providing a complete guide for deploying and using the data fabric capabilities.
https://aws.amazon.com/solutions/guidance/building-a-sustainability-data-fabric-on-aws/
MIT No Attribution
2 stars 3 forks source link

AccessDeniedException during asset creation after deployment #7

Closed sathish0804 closed 2 months ago

sathish0804 commented 2 months ago

@johnrotach After deploying the repository and attempting to create an asset,

image

I encountered an AccessDeniedException error while trying to perform the operation StartDataSourceRun. The error message indicates that the user is not permitted to perform this operation.

{
  "errorType": "AccessDeniedException",
  "errorMessage": "User is not permitted to perform operation: StartDataSourceRun",
  "trace": [
    "AccessDeniedException: User is not permitted to perform operation: StartDataSourceRun",
    "    at de_AccessDeniedExceptionRes (file:///var/task/index.mjs:390:167855)",
    "    at de_CommandError (file:///var/task/index.mjs:390:166898)",
    "    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)",
    "    at async file:///var/task/index.mjs:357:313373",
    "    at async file:///var/task/index.mjs:366:1240",
    "    at async file:///var/task/index.mjs:365:15893",
    "    at async file:///var/task/index.mjs:327:73196",
    "    at async file:///var/task/index.mjs:357:277658",
    "    at async Mie.process (file:///var/task/index.mjs:424:14379)",
    "    at async Runtime.l8i [as handler] (file:///var/task/index.mjs:440:7950)"
  ]
}

Steps to Reproduce: Deployed the repository following the provided guidelines. Tried creating an asset. Encountered the error mentioned above. Expected Behavior: Asset creation should proceed without AccessDeniedException issues.

User Permissions

I added these policies to the role.

In your Spoke account create an IAM role to be used when creating assets in DF. You will pass the role’s Amazon Resource Name (ARN) to DF when you create assets. DF will pass this role to Glue and Glue DataBrew as needed. The role name must be prefixed with df-. This enables the role to be passed by DF. The trust policy is as follows:

{
   "Version": "2012-10-17",
   "Statement": [
      {
            "Sid": "dataBrew",
            "Effect": "Allow",
            "Principal": {
               "Service": "databrew.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
      },
      {
            "Sid": "glue",
            "Effect": "Allow",
            "Principal": {
               "Service": "glue.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
      }
   ]
}

Add the following policies to the role AWSGlueServiceRole AWSGlueDataBrewServiceRole AmazonS3FullAccess

johnrotach commented 2 months ago

I think I may see the issue. It may be that the user you are using to make calls to the guidance is not a member of the project in DataZone. Can you confirm the members of the project you are using in DataZone? If you select the project and then click on the members tab confirm the user you are using to make the register asset call is a member of the project you included in the request. If they are not, add them with the Add Members button.

Let us know if this isn't the case and we can dig deeper.

Screenshot 2024-09-30 at 08 43 15

sathish0804 commented 2 months ago

Thank you for your help Jhon! After reviewing the project members in DataZone, I found that the user making the register asset call was not a member of the project. Once I added them, the issue was resolved. I appreciate your guidance, and everything is now working as expected.