Open be-rock opened 1 year ago
~For principal use IAM_ALLOWED_PRINCIPALS
and you should be good.~
See below
IAM_ALLOWED_PRINCIPALS
!= ALLIAMPrincipals
($ACCOUNT_ID:IAMPrincipals)
Principal is an IAM group - IAMAllowedPrincipals
Lake Formation sets Super permission on all databases and tables in the Data Catalog to a group called IAMAllowedPrincipals by deault. If this group permission exists on a database or a table, all principals in your account will have access to the resource through the IAM principal policies for AWS Glue. It provides backward compatibility when you start using Lake Formation permissions to secure the Data Catalog resources that were earlier protected by IAM policies for AWS Glue. When you use Lake Formation to manage permissions for your Data Catalog resources, you need to first revoke the IAMAllowedPrincipals permission on the resources, or opt in the pricipals and the resources to hybrid access mode for Lake Formation permissions to work.
Principal is an IAM group - ALLIAMPrincipals
When you grant permissions to ALLIAMPrincipals group on a Data Catalog resource, every principal in the account gets access to the Data Catalog resource using Lake Formation permissions and IAM permissions.
This is still a bug.
Any news? 😕
@maiconbaum @dpandolfo @mebuffet @dacreify there is a fix here, please add your 👍 to it 😄 https://github.com/hashicorp/terraform-provider-aws/pull/38600
Terraform Core Version
1.1.8
AWS Provider Version
4.56.0
Affected Resource(s)
aws_lakeformation_permissions
Expected Behavior
DESCRIBE
permissions granted to all Principals in the account via:principal = "123456789012:IAMPrincipals"
Actual Behavior
A Terraform error is thrown
Relevant Error/Panic Output Snippet
Error: "principal" doesn't look like AWS Account ID (exactly 12 digits): "123456789012:IAMPrincipals"
Terraform Configuration Files
none to add
Steps to Reproduce
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
Each of the 3 Official documentation pages describe an account-level grant that's possible through
123456789012:IAMPrincipals
but using this approach fails with terraform with the provided error message.A sample
aws
CLI command that works as expected:Would you like to implement a fix?
No