CDK Granting Permissions in Lake Formation

Question

I am trying to create Glue database and grant permissions on it in Lake Formation. I tried several ways and several IAM roles and policies based on the documentation but every time I get Insufficient Lake Formation permission(s): Required Create Database on Catalog. The code is pretty much straightforward and when I define permissions in Lake Formations I specify ALL value. When I am doing this from the console it works. I am basically replicating the same in the code but for some reason it does not work. Does anyone have an idea what is missing in the code? Thank you!

class ExampleStack(Stack):

    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        custom_data_bucket_arn = "arn:aws:s3:::transformed-v5"
        s3_location = "s3://transformed-v5"
        bucket_name = "transformed-v5"

        glue_role = cdk.aws_iam.Role(self, "glue_role", 
            assumed_by=cdk.aws_iam.ServicePrincipal('glue.amazonaws.com'),
            managed_policies= [
                cdk.aws_iam.ManagedPolicy.from_managed_policy_arn(self, 'ManagedGlueRole', 
                    managed_policy_arn='arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole'
                    )
                ]
        )
        
        glue_role.add_to_policy(cdk.aws_iam.PolicyStatement(actions=['s3:GetObject', 's3:PutObject'], effect=cdk.aws_iam.Effect.ALLOW, resources=["arn:aws:s3:::transformed-v5*"]))

        glue_db=cdk.aws_glue.CfnDatabase(self, "Database", 
            catalog_id=cdk.Aws.ACCOUNT_ID,
            database_input=cdk.aws_glue.CfnDatabase.DatabaseInputProperty(
                name="datalake-v5",
                location_uri = s3_location 
            )
        )

        location_resource = cdk.aws_lakeformation.CfnResource(self, 
                "DatalakeLocationResource", 
                resource_arn= custom_data_bucket_arn, 
                use_service_linked_role=True
        )
    
        location_permission = cdk.aws_lakeformation.CfnPermissions(self, "DatalakeLocationPermission",
                data_lake_principal=cdk.aws_lakeformation.CfnPermissions.DataLakePrincipalProperty(
                    data_lake_principal_identifier=glue_role.role_arn),
                resource=cdk.aws_lakeformation.CfnPermissions.ResourceProperty(
                    data_location_resource=cdk.aws_lakeformation.CfnPermissions.DataLocationResourceProperty(
                        s3_resource=custom_data_bucket_arn)),
                permissions=["DATA_LOCATION_ACCESS"]
            )
        #make sure the location resource is created first
        location_permission.add_dependency(location_resource)

        cdk.aws_lakeformation.CfnPermissions(self, "DatabasePermission",
                data_lake_principal=cdk.aws_lakeformation.CfnPermissions.DataLakePrincipalProperty(
                    data_lake_principal_identifier=glue_role.role_arn),
                resource=cdk.aws_lakeformation.CfnPermissions.ResourceProperty(
                    database_resource=cdk.aws_lakeformation.CfnPermissions.DatabaseResourceProperty(
                        name="datalake-v5")),
                permissions=["ALL"],
                permissions_with_grant_option=["ALL"]
            )

Does your stack fail to deploy or does a role created by the stack lack some permissions afterwards? — luk2302, Feb 08 '23 at 08:30
Hi, It fails to deploy. It brings this error during the deployment. — Moki, Feb 08 '23 at 08:32

CDK Granting Permissions in Lake Formation

0 Answers0