Description
Hi all!
For the consumer account, I don't know which policies should be applied for Lakeformation.
This error pops up when I apply too many policies on this account:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:GetDataLakeSettings" ], "Resource": "*" } ] }
File "C:\Users\Anaconda3\lib\site-packages\data_mesh_util\DataMeshAdmin.py", line 381, in _initialize_account_as self._automator.assert_is_data_lake_admin( File "C:\Users\64324\Anaconda3\lib\site-packages\data_mesh_util\lib\ApiAutomator.py", line 668, in assert_is_data_lake_admin raise Exception(f"Principal {principal} is not Data Lake Admin") Exception: Principal arn:aws:iam::[ACCOUNT_ID]:user/Consumer is not Data Lake Admin
However, when I apply too little policies (removing the above policy), another error pops up:
botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the GetDataLakeSettings operation: User: arn:aws:iam::[ACCOUNT_ID]:user/AwsDataMesh/DataMeshProducer is not authorized to perform: lakeformation:GetDataLakeSettings on resource: arn:aws:lakeformation:us-east-1:[ACCOUNT_ID]:catalog:[ACCOUNT_ID] because no identity-based policy allows the lakeformation:GetDataLakeSettings action
Even when I use the DataMeshProducer user generated by the DataMeshManager I get this (second) error. And when I manually add lakeformation:GetDataLakeSettings to the permissions of my user, the first error returns.
Could you help me getting the right policy structure for the consumer account in this repo?
Kind regards,
Tom