Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recurring error for Consumer Account (lakeformation:GetDataLakeSettings) #22

Open
TomEijk opened this issue Mar 9, 2023 · 3 comments
Open

Recurring error for Consumer Account (lakeformation:GetDataLakeSettings) #22

TomEijk opened this issue Mar 9, 2023 · 3 comments
Assignees
@IanMeyers

Comments

@TomEijk
Copy link

TomEijk commented Mar 9, 2023
edited
Loading

Hi all!

For the consumer account, I don't know which policies should be applied for Lakeformation.
This error pops up when I apply too many policies on this account:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:GetDataLakeSettings" ], "Resource": "*" } ] }

File "C:\Users\Anaconda3\lib\site-packages\data_mesh_util\DataMeshAdmin.py", line 381, in _initialize_account_as self._automator.assert_is_data_lake_admin( File "C:\Users\64324\Anaconda3\lib\site-packages\data_mesh_util\lib\ApiAutomator.py", line 668, in assert_is_data_lake_admin raise Exception(f"Principal {principal} is not Data Lake Admin") Exception: Principal arn:aws:iam::[ACCOUNT_ID]:user/Consumer is not Data Lake Admin

However, when I apply too little policies (removing the above policy), another error pops up:

botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the GetDataLakeSettings operation: User: arn:aws:iam::[ACCOUNT_ID]:user/AwsDataMesh/DataMeshProducer is not authorized to perform: lakeformation:GetDataLakeSettings on resource: arn:aws:lakeformation:us-east-1:[ACCOUNT_ID]:catalog:[ACCOUNT_ID] because no identity-based policy allows the lakeformation:GetDataLakeSettings action

Even when I use the DataMeshProducer user generated by the DataMeshManager I get this (second) error. And when I manually add lakeformation:GetDataLakeSettings to the permissions of my user, the first error returns.

Could you help me getting the right policy structure for the consumer account in this repo?

Kind regards,

Tom
@IanMeyers IanMeyers self-assigned this Mar 30, 2023
@IanMeyers
Copy link
Contributor

Can you please advise on what operation you are trying to perform relative to this issue? Strictly speaking, only the DataMeshManagerRole needs to be DataLakeAdmin, and then producer and consumer roles assume this role to perform the required tasks needed.

@TomEijk
Copy link
Author

TomEijk commented Mar 30, 2023

Hi IanMeyers,

Yes I was trying to run Step 1.2: Enable an AWS Account as a Consumer. That script returned these errors.

@IanMeyers
Copy link
Contributor

OK - cool. Can you please paste the command that you are running and the output trace here so I can see the full set?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@IanMeyers IanMeyers

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@IanMeyers @TomEijk