search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.76k stars 9.12k forks source link

[Bug]: aws_lakeformation_permissions does not support IAMPrincipals #29767

Open be-rock opened 1 year ago

be-rock commented 1 year ago

Terraform Core Version

1.1.8

AWS Provider Version

4.56.0

Affected Resource(s)

aws_lakeformation_permissions

Expected Behavior

DESCRIBE permissions granted to all Principals in the account via: principal = "123456789012:IAMPrincipals"

Actual Behavior

A Terraform error is thrown

Relevant Error/Panic Output Snippet

Error: "principal" doesn't look like AWS Account ID (exactly 12 digits): "123456789012:IAMPrincipals"

Terraform Configuration Files

none to add

Steps to Reproduce

data "aws_caller_identity" "current" {}

resource "aws_glue_catalog_database" "database" {
  name  = "my_test_db"
}

resource "aws_lakeformation_permissions" "local_account_describe" {
  depends_on = [
    aws_glue_catalog_database.database
  ]
  principal   = "${data.aws_caller_identity.current.id}:IAMPrincipals" # <-- this
  permissions = ["DESCRIBE"]
  database {
    name       = aws_glue_catalog_database.database.name
    catalog_id = data.aws_caller_identity.current.id
  }
}

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

Each of the 3 Official documentation pages describe an account-level grant that's possible through 123456789012:IAMPrincipals but using this approach fails with terraform with the provided error message.

A sample aws CLI command that works as expected:

aws lakeformation grant-permissions \
    --principal DataLakePrincipalIdentifier='111122223333:IAMPrincipals' \
    --permissions DESCRIBE \
    --resource '{"Database": {"Name": "my_test_db"} }'

Would you like to implement a fix?

No

dacreify commented 1 year ago

~For principal use IAM_ALLOWED_PRINCIPALS and you should be good.~

See below

maiconbaum commented 7 months ago

IAM_ALLOWED_PRINCIPALS != ALLIAMPrincipals ($ACCOUNT_ID:IAMPrincipals)

Principal is an IAM group - IAMAllowedPrincipals

Lake Formation sets Super permission on all databases and tables in the Data Catalog to a group called IAMAllowedPrincipals by deault. If this group permission exists on a database or a table, all principals in your account will have access to the resource through the IAM principal policies for AWS Glue. It provides backward compatibility when you start using Lake Formation permissions to secure the Data Catalog resources that were earlier protected by IAM policies for AWS Glue.

When you use Lake Formation to manage permissions for your Data Catalog resources, you need to first revoke the IAMAllowedPrincipals permission on the resources, or opt in the pricipals and the resources to hybrid access mode for Lake Formation permissions to work.

Principal is an IAM group - ALLIAMPrincipals

When you grant permissions to ALLIAMPrincipals group on a Data Catalog resource, every principal in the account gets access to the Data Catalog resource using Lake Formation permissions and IAM permissions.

Reference.

This is still a bug.

maiconbaum commented 4 months ago

Any news? 😕

nickdelnano commented 2 months ago

@maiconbaum @dpandolfo @mebuffet @dacreify there is a fix here, please add your 👍 to it 😄 https://github.com/hashicorp/terraform-provider-aws/pull/38600