search

boto / botocore

The low-level, core functionality of boto3 and the AWS CLI.
Apache License 2.0
1.47k stars 1.07k forks source link

Boto3/botocore lakeformation grant_permissions attribute valid value documentation error. #2406

Closed stthoom closed 2 years ago

stthoom commented 3 years ago

Describe the bug

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/lakeformation.html#LakeFormation.Client.grant_permissions

Issue with Boto3 Lakeformation documentation. grant_permissions "Permissions" parameter valid values are DESCRIBE and ASSOCIATE, which are documented as "DESCRIBE_TAG" and ASSOCIATE_TAG", upon usage causing below error.

Steps to reproduce import boto3 lfc = boto3.client("lakeformation") response = lfc.grant_permissions( CatalogId='**', Principal={ 'DataLakePrincipalIdentifier': 'arn:aws:iam::***:role/lake-creator-role'

},
Resource={
    'LFTag': {
        'CatalogId': '='**********',',
        'TagKey': 'security-level',
        'TagValues': [
            'sec-1',
            'sec-2',
            'sec-3'                
        ]
    }

},
Permissions=[        
    'ASSOCIATE_TAG',
]

)

InvalidInputException: An error occurred (InvalidInputException) when calling the GrantPermissions operation: Please grant only valid Lake Formation permissions. [ASSOCIATE_TAG] are not all valid Lake Formation permissions.

Expected behavior Documentation need fix./botocore/botocore/data/lakeformation/2017-03-31/service-2.json

stobrien89 commented 3 years ago

Hi @stthoom,

Thanks for reaching out! I looked at the lakeformation model and it appears ASSOCIATE_TAG, along with a few other options, were added on 5/7/2021. I would make sure your boto3 version is 1.17.69 or higher and that your botocore version is at 1.20.69 or higher. Hope this helps!

stthoom commented 3 years ago

If we use Permissions=['ASSOCIATE_TAG'], the grant_permissions fails as above. Able to execute the grant_permissions with Permissions=['ASSOCIATE']

We have been using below. boto3 1.17.89 botocore 1.20.89

stobrien89 commented 3 years ago

Hi @stthoom,

Thanks for clarifying. And thanks for pointing this out— This is definitely strange behavior, as the permission list contains ASSOCIATE_TAG and not ASSOCIATE as a value. Would you be able to send debug logs? If so, just add boto3.set_stream_logger('') to your code and please obscure any sensitive information. Thanks!

stthoom commented 3 years ago

LF_BOTOCORE_ERROR_LOG.txt

stobrien89 commented 2 years ago

P49159160

stobrien89 commented 2 years ago

Hi @stthoom,

Just wanted to give you a heads-up that it appears the Lakeformation team is still working on this and that I'll be moving this to our shared SDKs repository for tracking since this issue is not specific to botocore. Please let me know if you have any questions!

github-actions[bot] commented 2 years ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.