search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.5k stars 3.85k forks source link

(aws-lakeformation): Intermittent issues with RAM resource share request with Lake Formation CDK #16085

Closed akshayrane closed 2 years ago

akshayrane commented 3 years ago

Reproduction Steps

Using the following snippet in CDK application intermittently creates issues with RAM resource share that's created internally.

new lakeFormation.CfnPermissions(scope, id,
                    dataLakePrincipal: {
                             dataLakePrincipalIdentifier: `arn:aws:iam::111111111111:root`
                     },
                    resource: {
                        tableResource: {
                            databaseName: 'foo_db',
                            name: 'bar_table'
                        }
                    },
                    permissions: ['SELECT', 'DESCRIBE'],
                    permissionsWithGrantOption: ['SELECT', 'DESCRIBE']
)

What did you expect to happen?

  1. [Producer end] In RAM console, the cross account resource share should get created with 'Associating' status
  2. [Customer end] Once accepted by the customer, the resources shared section in RAM should show the tables that are shared as part of LF grant
  3. [Producer end] In RAM console, the request should now show status 'Associated' with Principals containing customer AWS account ID and Resources shared section containing the glue tables for which access was granted.

What actually happened?

  1. [Producer end] In RAM console, the cross account resource share should get created with 'Associating' status
  2. [Customer end] Once accepted by the customer, the resources shared section in RAM shows zero tables
  3. [Producer end] In RAM console, the request shows zero Principals and zero resources shared.

This issue happens intermittently with CDK, and not when grant is done via LF Console.

Environment

Other

The issue was faced intermittently. Some of the resource shares went through, and for some we faced the principals and resources disappearing issue.

This is :bug: Bug Report

BenChaimberg commented 3 years ago

A more complete reproducible example will help us debug this issue. Notably, if you could provide how you are defining your database and/or table.

You should also use the LakeFormation API (probably easiest through the AWS CLI) to call ListPermissions on a table that you create through the console and one that you create via CDK. If the responses are the same, then this is just a transient issue. If they are different, it may point to you to what you need to change.

In any case, this is most likely not a CDK issue and more likely a CloudFormation or LakeFormation issue.