Unable to grant permissions to database using Lake formation Java API

[arun1ram]

I am trying to use the Lake formation Java API to grant permissions to an IAM user. I am able to use the AWS console to do the same (see screenshot for what I am trying to do). However when I use the following Java code, I do not get any error response but the permissions are actually not granted.

        GrantPermissionsRequest grantPermRequest = new GrantPermissionsRequest()
                .withResource(new Resource()
                        .withTable(new TableResource()
                                .withDatabaseName("some valid db name")
                                .withTableWildcard(new TableWildcard())
                        ))
                .withPermissions(Permission.SELECT)
                .withPrincipal(new DataLakePrincipal()
                        .withDataLakePrincipalIdentifier("some valid arn"));
        final GrantPermissionsResult grantPermissionsResult = awsLakeFormationClient.grantPermissions(grantPermRequest);
        System.out.println("status code:" + grantPermissionsResult.getSdkHttpMetadata().getHttpStatusCode());
        DatabaseResource databaseResource = new DatabaseResource().withName(databaseName);
        final ListPermissionsResult listPermissionsResult = awsLakeFormationClient.listPermissions(new ListPermissionsRequest()
                .withResource(new Resource().withDatabase(databaseResource))
                .withPrincipal(new DataLakePrincipal()
                        .withDataLakePrincipalIdentifier("some valid arn"))
        );
        System.out.println("permissions:" + listPermissionsResult);

The above request returns a 200 response and prints empty permissions result as below:

status code:200
permissions:{PrincipalResourcePermissions: [],}

[arun1ram]

[debora-ito]

Hi @arun1ram apologies for the delayed response.

I cannot reproduce the issue. Calling grantPermissions returns status code 200 and listPermissions returns:

permissions:{PrincipalResourcePermissions: [{Principal: {DataLakePrincipalIdentifier: arn:aws:iam::xxx:user/User},Resource: {Database: {CatalogId: xxx,Name: mydatabase},},Permissions: [ALL],PermissionsWithGrantOption: [],}],}

My guess is that in your example you are granting permission to one database but listing permissions of a different database:

        GrantPermissionsRequest grantPermRequest = new GrantPermissionsRequest()
                .withResource(new Resource().withTable(new TableResource()
                        .withDatabaseName("some valid db name") //<--- database is "some valid db name"
                        .withTableWildcard(new TableWildcard())))
                .withPermissions(Permission.SELECT)
                .withPrincipal(new DataLakePrincipal().withDataLakePrincipalIdentifier("some valid arn"));

        final GrantPermissionsResult grantPermissionsResult = awsLakeFormationClient.grantPermissions(grantPermRequest);
        System.out.println("status code:" + grantPermissionsResult.getSdkHttpMetadata().getHttpStatusCode());

        DatabaseResource databaseResource = new DatabaseResource()
                .withName(databaseName); //<--- database is probably not "some valid db name"

        final ListPermissionsResult listPermissionsResult = awsLakeFormationClient.listPermissions(new ListPermissionsRequest()
                .withResource(new Resource().withDatabase(databaseResource))
                .withPrincipal(new DataLakePrincipal()
                        .withDataLakePrincipalIdentifier("some valid arn"))
        );
        System.out.println("permissions:" + listPermissionsResult);

[github-actions[bot]]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.