Closed BradBender closed 2 years ago
Hi @BradBender,
Thanks for raising this! This is a duplicate of https://github.com/boto/botocore/issues/2406. I haven't heard back from the Lakeformation team yet, so I'll make sure to escalate this.
Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
Confirm by changing [ ] to [x] below to ensure that it's a bug:
Describe the bug CLI docs incorrectly describe JSON syntax for LF-Tag permissions. As seen here: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lakeformation/batch-grant-permissions.html
We are trying to grant a Role permissions to DESCRIBE and ASSOCIATE an LF-Tag in LakeFormation.
Based on the official docs, one would expect the following JSON to work:
BROKEN.JSON: { "Entries": [ { "Id": "DoesntWork", "Principal": { "DataLakePrincipalIdentifier": ""
},
"Resource": {
"LFTag": {
"TagKey": "ExampleTBAC",
"TagValues": ["ExampleValue1","ExampleValue2"]
}
},
"Permissions": ["DESCRIBE_TAG","ASSOCIATE_TAG"]
}
]
}
In practice, the syntax is actually:
WORKING.JSON { "Entries": [ { "Id": "DoesntWork", "Principal": { "DataLakePrincipalIdentifier": ""
},
"Resource": {
"LFTag": {
"TagKey": "ExampleTBAC",
"TagValues": ["ExampleValue1","ExampleValue2"]
}
},
"Permissions": ["DESCRIBE","ASSOCIATE"] <==== NOTE the missing "_TAG"
}
]
}
SDK version number 2.2.39
Platform/OS/Hardware/Device What are you running the cli on? Windows 10
To Reproduce (observed behavior) Run the following command: aws lakeformation batch-grant-permissions --cli-input-json file://broken.json
Run the following command: aws lakeformation batch-grant-permissions --cli-input-json file://working.json
Expected behavior CLI documentation should describe correct values for the JSON inputs:
Ie. "Permissions": ["ALL"|"SELECT"|"ALTER"|"DROP"|"DELETE"|"INSERT"|"DESCRIBE"|"CREATE_DATABASE"|"CREATE_TABLE"|"DATA_LOCATION_ACCESS"|"CREATE_TAG"|"ALTER_TAG"|"DELETE_TAG"|"DESCRIBE"|"ASSOCIATE", ...], "PermissionsWithGrantOption": ["ALL"|"SELECT"|"ALTER"|"DROP"|"DELETE"|"INSERT"|"DESCRIBE"|"CREATE_DATABASE"|"CREATE_TABLE"|"DATA_LOCATION_ACCESS"|"CREATE_TAG"|"ALTER_TAG"|"DELETE_TAG"|"DESCRIBE"|"ASSOCIATE", ...] }
Logs/output N/A.
Additional context This is purely a documentation bug.