Skip to content

Recurring error for Consumer Account (lakeformation:GetDataLakeSettings) #22

Open
@TomEijk

Description

@TomEijk

Hi all!

For the consumer account, I don't know which policies should be applied for Lakeformation.
This error pops up when I apply too many policies on this account:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:GetDataLakeSettings" ], "Resource": "*" } ] }

File "C:\Users\Anaconda3\lib\site-packages\data_mesh_util\DataMeshAdmin.py", line 381, in _initialize_account_as self._automator.assert_is_data_lake_admin( File "C:\Users\64324\Anaconda3\lib\site-packages\data_mesh_util\lib\ApiAutomator.py", line 668, in assert_is_data_lake_admin raise Exception(f"Principal {principal} is not Data Lake Admin") Exception: Principal arn:aws:iam::[ACCOUNT_ID]:user/Consumer is not Data Lake Admin

However, when I apply too little policies (removing the above policy), another error pops up:

botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the GetDataLakeSettings operation: User: arn:aws:iam::[ACCOUNT_ID]:user/AwsDataMesh/DataMeshProducer is not authorized to perform: lakeformation:GetDataLakeSettings on resource: arn:aws:lakeformation:us-east-1:[ACCOUNT_ID]:catalog:[ACCOUNT_ID] because no identity-based policy allows the lakeformation:GetDataLakeSettings action

Even when I use the DataMeshProducer user generated by the DataMeshManager I get this (second) error. And when I manually add lakeformation:GetDataLakeSettings to the permissions of my user, the first error returns.

Could you help me getting the right policy structure for the consumer account in this repo?

Kind regards,

Tom

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions