search

data-dot-all / dataall

A modern data marketplace that makes collaboration among diverse users (like business, analysts and engineers) easier, increasing efficiency and agility in data projects on AWS.
https://data-dot-all.github.io/dataall/
Apache License 2.0
236 stars 82 forks source link

Insufficient Glue permissions to access table #526

Closed anilprobable closed 1 year ago

anilprobable commented 1 year ago

P.S. Don't attach files. Please, prefer add code snippets directly in the message body. Hi .. I facing an issue while sharing tables in Prod env. In Dev and QA env this sharing Glue catalog table working fine.

Here is the scenario -

Account 2602XXXX9338 A - Dataset created Account 8282XXXX3582 B - Dataset Share request and submit Account 2602XXXX9338 A - Database table access approved, but share failed with following error for tables-

Please suggest if I need to give the permission on lakeformation. Even I cant see the tables in AWS resource access manager.

Error log - timestamp message 1.68718E+12 '"-- Using schema: prd --" 1.68718E+12 Starting processing task for share : r2oxlche... 1.68718E+12 Updating share object r2oxlche in DB from Approved to state Share_In_Progress 1.68718E+12 Granting permissions to folders: [] 1.68718E+12 ##### Starting Sharing folders ####### 1.68718E+12 sharing folders succeeded = True 1.68718E+12 Granting permissions to tables: [<dataall.db.models.DatasetTable.DatasetTable object at 0x7f7a8442cb80>, <dataall.db.models.DatasetTable.DatasetTable object at 0x7f7a8442cf40>, <dataall.db.models.DatasetTable.DatasetTable object at 0x7f7a8442cf70>, <dataall.db.models.DatasetTable.DatasetTable object at 0x7f7a84434160>] 1.68718E+12 ##### Starting Sharing tables cross account ####### 1.68718E+12 Granting database permissions ['ALL'] to arn:aws:iam::260XXXXX9338:role/dataallPivotRole on database iff_ot_curr_data 1.68718E+12 Successfully granted principal arn:aws:iam::260XXXXX9338:role/dataallPivotRole permissions ['ALL'] to iff_ot_curr_data 1.68718E+12 Creating shared db ...8282XXXX3582://iff_ot_curr_data_shared_r2oxlche 1.68718E+12 Database iff_ot_curr_data_shared_r2oxlche does not exist on account 8282XXXX3582... 1.68718E+12 Creating Glue database with input: {'Name': 'iff_ot_curr_data_shared_r2oxlche', 'Description': 'dataall database iff_ot_curr_data_shared_r2oxlche ', 'CreateTableDefaultPermissions': [], 'LocationUri': 's3://iffdataprd-nsva-curated-use1'} 1.68718E+12 response Create Database: {'ResponseMetadata': {'RequestId': '3ec95794-5aae-4f31-9bb4-cd9adcff4eac', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Mon, 19 Jun 2023 14:25:31 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '2', 'connection': 'keep-alive', 'x-amzn-requestid': '3ec95794-5aae-4f31-9bb4-cd9adcff4eac'}, 'RetryAttempts': 0}} 1.68718E+12 Granting database permissions ['ALL'] to arn:aws:iam::8282XXXX3582:role/dataallPivotRole on database iff_ot_curr_data_shared_r2oxlche 1.68718E+12 Successfully granted principal arn:aws:iam::8282XXXX3582:role/dataallPivotRole permissions ['ALL'] to iff_ot_curr_data_shared_r2oxlche 1.68718E+12 Granting database permissions ['DESCRIBE'] to arn:aws:iam::8282XXXX3582:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_iff_aws_mfg_mlops_datascientist_77738cf190679517 on database iff_ot_curr_data_shared_r2oxlche 1.68718E+12 Successfully granted principal arn:aws:iam::8282XXXX3582:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_iff_aws_mfg_mlops_datascientist_77738cf190679517 permissions ['DESCRIBE'] to iff_ot_curr_data_shared_r2oxlche 1.68718E+12 Sharing table asset_hierarchy_metadata... 1.68718E+12 Updating share item in DB ofir7eqs status to Share_In_Progress 1.68718E+12 Glue table found: {'accountid': '260XXXXX9338', 'region': 'us-east-1', 'database': 'iff_ot_curr_data', 'tablename': 'asset_hierarchy_metadata'} 1.68718E+12 Revoking IAMAllowedGroups Super permission for table iff_ot_curr_data|asset_hierarchy_metadata 1.68718E+12 Batch Revoking [{'Id': '657fba54-e91b-4b14-81c2-12eef26a7c3d', 'Principal': {'DataLakePrincipalIdentifier': 'EVERYONE'}, 'Resource': {'Table': {'DatabaseName': 'iff_ot_curr_data', 'Name': 'asset_hierarchy_metadata', 'CatalogId': '260XXXXX9338'}}, 'Permissions': ['ALL'], 'PermissionsWithGrantOption': []}] 1.68718E+12 Batch Revoke response: {'ResponseMetadata': {'RequestId': '1c9ed3b5-1dbf-4000-9c5e-8f41af582065', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Mon, 19 Jun 2023 14:25:34 GMT', 'content-type': 'application/json', 'content-length': '597', 'connection': 'keep-alive', 'x-amzn-requestid': '1c9ed3b5-1dbf-4000-9c5e-8f41af582065', 'cache-control': 'no-cache'}, 'RetryAttempts': 0}, 'Failures': [{'RequestEntry': {'Id': '657fba54-e91b-4b14-81c2-12eef26a7c3d', 'Principal': {'DataLakePrincipalIdentifier': 'EVERYONE'}, 'Resource': {'Table': {'CatalogId': '260XXXXX9338', 'DatabaseName': 'iff_ot_curr_data', 'Name': 'asset_hierarchy_metadata'}}, 'Permissions': ['ALL'], 'PermissionsWithGrantOption': []}, 'Error': {'ErrorCode': 'InvalidInputException', 'ErrorMessage': 'No permissions revoked. Grantee does not does not have:[ALL]'}}]} 1.68718E+12 Could not grant principal 8282XXXX3582 permissions ['DESCRIBE', 'SELECT'] to table iff_ot_curr_data.asset_hierarchy_metadata due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: User: arn:aws:sts::260XXXXX9338:assumed-role/dataallPivotRole/dataallPivotRole is not authorized to perform: ram:CreateResourceShare on resource: arn:aws:ram:us-east-1:260XXXXX9338:resource-share/ with an explicit deny (Service: AWSRAM; Status Code: 403; Error Code: AccessDeniedException; Request ID: d7972317-bc7e-462f-bd99-a971fd36e8be; Proxy: null) 1.68718E+12 Granted access to table asset_hierarchy_metadata to external account 8282XXXX3582 1.68718E+12 Found resource_share_associations : [] 1.68718E+12 Listing invitations for resourceShareArns: [] 1.68718E+12 Found 0 RAM invitations for resourceShareArn: [] 1.68718E+12 Creating ResourceLink asset_hierarchy_metadata in database 8282XXXX3582://iff_ot_curr_data_shared_r2oxlche 1.68718E+12 Glue table not found: {'accountid': '8282XXXX3582', 'region': 'us-east-1', 'database': 'iff_ot_curr_data_shared_r2oxlche', 'tablename': 'asset_hierarchy_metadata'} 1.68718E+12 Successfully created ResourceLink asset_hierarchy_metadata in database 8282XXXX3582://iff_ot_curr_data_shared_r2oxlche 1.68718E+12 Granted resource link DESCRIBE access to principal arn:aws:iam::8282XXXX3582:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_iff_aws_mfg_mlops_datascientist_77738cf190679517 on 8282XXXX3582://iff_ot_curr_data_shared_r2oxlche/asset_hierarchy_metadata 1.68718E+12 Failed granting principal arn:aws:iam::8282XXXX3582:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_iff_aws_mfg_mlops_datascientist_77738cf190679517 read access to resource link on target 260XXXXX9338://iff_ot_curr_data/asset_hierarchy_metadata due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Insufficient Glue permissions to access table asset_hierarchy_metadata 1.68718E+12 Resource Link {'Name': 'asset_hierarchy_metadata', 'TargetTable': {'CatalogId': '260XXXXX9338', 'DatabaseName': 'iff_ot_curr_data', 'Name': 'asset_hierarchy_metadata'}} was not created due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Insufficient Glue permissions to access table asset_hierarchy_metadata 1.68718E+12 Failed to share table asset_hierarchy_metadata from source account 260XXXXX9338//us-east-1 with target account 8282XXXX3582/us-east-1due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Insufficient Glue permissions to access table asset_hierarchy_metadata 1.68718E+12 Triggering share failure alarm... 1.68718E+12 Sending deployment failure notification 1.68718E+12 Updating share item in DB ofir7eqs status to Share_Failed 1.68718E+12 Sharing table asset_metadata... 1.68718E+12 Updating share item in DB j378hk9m status to Share_In_Progress 1.68718E+12 Glue table found: {'accountid': '260XXXXX9338', 'region': 'us-east-1', 'database': 'iff_ot_curr_data', 'tablename': 'asset_metadata'} 1.68718E+12 Revoking IAMAllowedGroups Super permission for table iff_ot_curr_data|asset_metadata 1.68718E+12 Batch Revoking [{'Id': 'cb95f3c7-e91f-46f4-935e-2221b48383b0', 'Principal': {'DataLakePrincipalIdentifier': 'EVERYONE'}, 'Resource': {'Table': {'DatabaseName': 'iff_ot_curr_data', 'Name': 'asset_metadata', 'CatalogId': '260XXXXX9338'}}, 'Permissions': ['ALL'], 'PermissionsWithGrantOption': []}] 1.68718E+12 Batch Revoke response: {'ResponseMetadata': {'RequestId': '8a790792-0e3c-474f-a679-65a18e66cefb', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Mon, 19 Jun 2023 14:25:43 GMT', 'content-type': 'application/json', 'content-length': '587', 'connection': 'keep-alive', 'x-amzn-requestid': '8a790792-0e3c-474f-a679-65a18e66cefb', 'cache-control': 'no-cache'}, 'RetryAttempts': 0}, 'Failures': [{'RequestEntry': {'Id': 'cb95f3c7-e91f-46f4-935e-2221b48383b0', 'Principal': {'DataLakePrincipalIdentifier': 'EVERYONE'}, 'Resource': {'Table': {'CatalogId': '260XXXXX9338', 'DatabaseName': 'iff_ot_curr_data', 'Name': 'asset_metadata'}}, 'Permissions': ['ALL'], 'PermissionsWithGrantOption': []}, 'Error': {'ErrorCode': 'InvalidInputException', 'ErrorMessage': 'No permissions revoked. Grantee does not does not have:[ALL]'}}]} 1.68718E+12 Could not grant principal 8282XXXX3582 permissions ['DESCRIBE', 'SELECT'] to table iff_ot_curr_data.asset_metadata due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: User: arn:aws:sts::260XXXXX9338:assumed-role/dataallPivotRole/dataallPivotRole is not authorized to perform: ram:CreateResourceShare on resource: arn:aws:ram:us-east-1:260XXXXX9338:resource-share/ with an explicit deny (Service: AWSRAM; Status Code: 403; Error Code: AccessDeniedException; Request ID: 2d824c3b-2e2b-4fcf-9f4d-e6aba13159d2; Proxy: null) 1.68718E+12 Granted access to table asset_metadata to external account 8282XXXX3582 1.68718E+12 Found resource_share_associations : [] 1.68718E+12 Listing invitations for resourceShareArns: [] 1.68718E+12 Found 0 RAM invitations for resourceShareArn: [] 1.68718E+12 Creating ResourceLink asset_metadata in database 8282XXXX3582://iff_ot_curr_data_shared_r2oxlche 1.68718E+12 Glue table not found: {'accountid': '8282XXXX3582', 'region': 'us-east-1', 'database': 'iff_ot_curr_data_shared_r2oxlche', 'tablename': 'asset_metadata'} 1.68718E+12 Successfully created ResourceLink asset_metadata in database 8282XXXX3582://iff_ot_curr_data_shared_r2oxlche 1.68718E+12 Granted resource link DESCRIBE access to principal arn:aws:iam::8282XXXX3582:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_iff_aws_mfg_mlops_datascientist_77738cf190679517 on 8282XXXX3582://iff_ot_curr_data_shared_r2oxlche/asset_metadata 1.68718E+12 Failed granting principal arn:aws:iam::8282XXXX3582:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_iff_aws_mfg_mlops_datascientist_77738cf190679517 read access to resource link on target 260XXXXX9338://iff_ot_curr_data/asset_metadata due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Insufficient Glue permissions to access table asset_metadata 1.68718E+12 Resource Link {'Name': 'asset_metadata', 'TargetTable': {'CatalogId': '260XXXXX9338', 'DatabaseName': 'iff_ot_curr_data', 'Name': 'asset_metadata'}} was not created due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Insufficient Glue permissions to access table asset_metadata 1.68718E+12 Failed to share table asset_metadata from source account 260XXXXX9338//us-east-1 with target account 8282XXXX3582/us-east-1due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Insufficient Glue permissions to access table asset_metadata 1.68718E+12 Triggering share failure alarm... 1.68718E+12 Sending deployment failure notification 1.68718E+12 Updating share item in DB j378hk9m status to Share_Failed 1.68718E+12 Sharing table agg... 1.68718E+12 Updating share item in DB lbg8scx8 status to Share_In_Progress 1.68718E+12 Glue table found: {'accountid': '260XXXXX9338', 'region': 'us-east-1', 'database': 'iff_ot_curr_data', 'tablename': 'agg'} 1.68718E+12 Revoking IAMAllowedGroups Super permission for table iff_ot_curr_data|agg 1.68718E+12 Batch Revoking [{'Id': 'd17eabc8-183f-43a2-b389-e76d5cdcefbf', 'Principal': {'DataLakePrincipalIdentifier': 'EVERYONE'}, 'Resource': {'Table': {'DatabaseName': 'iff_ot_curr_data', 'Name': 'agg', 'CatalogId': '260XXXXX9338'}}, 'Permissions': ['ALL'], 'PermissionsWithGrantOption': []}] 1.68718E+12 Batch Revoke response: {'ResponseMetadata': {'RequestId': '30318d5a-04b5-40b7-b3a0-9cedf37310a4', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Mon, 19 Jun 2023 14:25:51 GMT', 'content-type': 'application/json', 'content-length': '576', 'connection': 'keep-alive', 'x-amzn-requestid': '30318d5a-04b5-40b7-b3a0-9cedf37310a4', 'cache-control': 'no-cache'}, 'RetryAttempts': 0}, 'Failures': [{'RequestEntry': {'Id': 'd17eabc8-183f-43a2-b389-e76d5cdcefbf', 'Principal': {'DataLakePrincipalIdentifier': 'EVERYONE'}, 'Resource': {'Table': {'CatalogId': '260XXXXX9338', 'DatabaseName': 'iff_ot_curr_data', 'Name': 'agg'}}, 'Permissions': ['ALL'], 'PermissionsWithGrantOption': []}, 'Error': {'ErrorCode': 'InvalidInputException', 'ErrorMessage': 'No permissions revoked. Grantee does not does not have:[ALL]'}}]} 1.68718E+12 Could not grant principal 8282XXXX3582 permissions ['DESCRIBE', 'SELECT'] to table iff_ot_curr_data.agg due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: User: arn:aws:sts::260XXXXX9338:assumed-role/dataallPivotRole/dataallPivotRole is not authorized to perform: ram:CreateResourceShare on resource: arn:aws:ram:us-east-1:260XXXXX9338:resource-share/ with an explicit deny (Service: AWSRAM; Status Code: 403; Error Code: AccessDeniedException; Request ID: 66b33d5a-123d-46fa-90f4-6e05d5a298d4; Proxy: null) 1.68718E+12 Granted access to table agg to external account 8282XXXX3582 1.68718E+12 Found resource_share_associations : [] 1.68718E+12 Listing invitations for resourceShareArns: [] 1.68718E+12 Found 0 RAM invitations for resourceShareArn: [] 1.68718E+12 Creating ResourceLink agg in database 8282XXXX3582://iff_ot_curr_data_shared_r2oxlche 1.68718E+12 Glue table not found: {'accountid': '8282XXXX3582', 'region': 'us-east-1', 'database': 'iff_ot_curr_data_shared_r2oxlche', 'tablename': 'agg'} 1.68718E+12 Successfully created ResourceLink agg in database 8282XXXX3582://iff_ot_curr_data_shared_r2oxlche 1.68718E+12 Granted resource link DESCRIBE access to principal arn:aws:iam::8282XXXX3582:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_iff_aws_mfg_mlops_datascientist_77738cf190679517 on 8282XXXX3582://iff_ot_curr_data_shared_r2oxlche/agg 1.68718E+12 Failed granting principal arn:aws:iam::8282XXXX3582:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_iff_aws_mfg_mlops_datascientist_77738cf190679517 read access to resource link on target 260XXXXX9338://iff_ot_curr_data/agg due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Insufficient Glue permissions to access table agg 1.68718E+12 Resource Link {'Name': 'agg', 'TargetTable': {'CatalogId': '260XXXXX9338', 'DatabaseName': 'iff_ot_curr_data', 'Name': 'agg'}} was not created due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Insufficient Glue permissions to access table agg 1.68718E+12 Failed to share table agg from source account 260XXXXX9338//us-east-1 with target account 8282XXXX3582/us-east-1due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Insufficient Glue permissions to access table agg 1.68718E+12 Triggering share failure alarm... 1.68718E+12 Sending deployment failure notification 1.68718E+12 Updating share item in DB lbg8scx8 status to Share_Failed 1.68718E+12 Sharing table raw... 1.68718E+12 Updating share item in DB 85p21sxr status to Share_In_Progress 1.68718E+12 Glue table found: {'accountid': '260XXXXX9338', 'region': 'us-east-1', 'database': 'iff_ot_curr_data', 'tablename': 'raw'} 1.68718E+12 Revoking IAMAllowedGroups Super permission for table iff_ot_curr_data|raw 1.68718E+12 Batch Revoking [{'Id': '4e4e0d95-c80c-49ba-8f5a-dcfd2b835211', 'Principal': {'DataLakePrincipalIdentifier': 'EVERYONE'}, 'Resource': {'Table': {'DatabaseName': 'iff_ot_curr_data', 'Name': 'raw', 'CatalogId': '260XXXXX9338'}}, 'Permissions': ['ALL'], 'PermissionsWithGrantOption': []}] 1.68718E+12 Batch Revoke response: {'ResponseMetadata': {'RequestId': 'b48bed27-ba4c-45ce-9416-d50e4cb91c28', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Mon, 19 Jun 2023 14:25:59 GMT', 'content-type': 'application/json', 'content-length': '576', 'connection': 'keep-alive', 'x-amzn-requestid': 'b48bed27-ba4c-45ce-9416-d50e4cb91c28', 'cache-control': 'no-cache'}, 'RetryAttempts': 0}, 'Failures': [{'RequestEntry': {'Id': '4e4e0d95-c80c-49ba-8f5a-dcfd2b835211', 'Principal': {'DataLakePrincipalIdentifier': 'EVERYONE'}, 'Resource': {'Table': {'CatalogId': '260XXXXX9338', 'DatabaseName': 'iff_ot_curr_data', 'Name': 'raw'}}, 'Permissions': ['ALL'], 'PermissionsWithGrantOption': []}, 'Error': {'ErrorCode': 'InvalidInputException', 'ErrorMessage': 'No permissions revoked. Grantee does not does not have:[ALL]'}}]} 1.68718E+12 Could not grant principal 8282XXXX3582 permissions ['DESCRIBE', 'SELECT'] to table iff_ot_curr_data.raw due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: User: arn:aws:sts::260XXXXX9338:assumed-role/dataallPivotRole/dataallPivotRole is not authorized to perform: ram:CreateResourceShare on resource: arn:aws:ram:us-east-1:260XXXXX9338:resource-share/ with an explicit deny (Service: AWSRAM; Status Code: 403; Error Code: AccessDeniedException; Request ID: d0757438-d6ac-46ff-b3cd-e3a48738a8fa; Proxy: null) 1.68718E+12 Granted access to table raw to external account 8282XXXX3582 1.68718E+12 Found resource_share_associations : [] 1.68718E+12 Listing invitations for resourceShareArns: [] 1.68718E+12 Found 0 RAM invitations for resourceShareArn: [] 1.68718E+12 Creating ResourceLink raw in database 8282XXXX3582://iff_ot_curr_data_shared_r2oxlche 1.68718E+12 Glue table not found: {'accountid': '8282XXXX3582', 'region': 'us-east-1', 'database': 'iff_ot_curr_data_shared_r2oxlche', 'tablename': 'raw'} 1.68718E+12 Successfully created ResourceLink raw in database 8282XXXX3582://iff_ot_curr_data_shared_r2oxlche 1.68718E+12 Granted resource link DESCRIBE access to principal arn:aws:iam::8282XXXX3582:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_iff_aws_mfg_mlops_datascientist_77738cf190679517 on 8282XXXX3582://iff_ot_curr_data_shared_r2oxlche/raw 1.68718E+12 Failed granting principal arn:aws:iam::8282XXXX3582:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_iff_aws_mfg_mlops_datascientist_77738cf190679517 read access to resource link on target 260XXXXX9338://iff_ot_curr_data/raw due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Insufficient Glue permissions to access table raw 1.68718E+12 Resource Link {'Name': 'raw', 'TargetTable': {'CatalogId': '260XXXXX9338', 'DatabaseName': 'iff_ot_curr_data', 'Name': 'raw'}} was not created due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Insufficient Glue permissions to access table raw 1.68718E+12 Failed to share table raw from source account 260XXXXX9338//us-east-1 with target account 8282XXXX3582/us-east-1due to: An error occurred (AccessDeniedException) when calling the GrantPermissions operation: Insufficient Glue permissions to access table raw 1.68718E+12 Triggering share failure alarm... 1.68718E+12 Sending deployment failure notification 1.68718E+12 Updating share item in DB 85p21sxr status to Share_Failed 1.68718E+12 sharing tables succeeded = False 1.68718E+12 Updating share object r2oxlche in DB from Share_In_Progress to state Processed 1.68718E+12 Sharing task finished successfully 1.68718E+12 /usr/local/lib/python3.8/site-packages/requests/init.py:102: RequestsDependencyWarning: urllib3 (1.26.16) or chardet (5.1.0)/charset_normalizer (2.0.12) doesn't match a supported version! 1.68718E+12 warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "

dlpzx commented 1 year ago

Hi @anilprobable sorry for the late response! It looks like your issue is on the permissions of the pivotRole:

dataallPivotRole is not authorized to perform: ram:CreateResourceShare on resource: arn:aws🐏us-east-1:260XXXXX9338:resource-share/* with an explicit deny (Service: AWSRAM; Status Code: 403; Error Code: AccessDeniedException; Request ID: d7972317-bc7e-462f-bd99-a971fd36e8be; Proxy: null)

We can check a couple of things

  1. Do you have any SCPs in that PROD account that deny the action ram:CreateResourceShare?
  2. Can you verify the permissions of the pivotRole in that account and make sure that it has the ram:CreateResourceShare permission?

Let's see if we find a solution to your issue :)

anilprobable commented 1 year ago

Thanks for looking into it.

Issue has been resolved. From Guardrail explicit deny configured, which is now fixed.

mvidhu commented 1 year ago

Hi @dlpzx We are also getting similar issue and pivot role contains ram:CreateResourceShare permission and we do not have any guard rail rules or SCP configured. Is there any other possibility? Scenerio: We have imported a S3 bucket and existing database and tables to data.all. User A initiated share request for data set and added all the tables to request and submitted request. Error in logs is same as the mentioned issue.