AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

Why do I get "not authorized to perform s3:DeleteObject" errors when running TRUNCATE commands in AWS Glue with Lake Formation hybrid access mode?

6 minute read

Content level: Advanced

I'm running TRUNCATE commands in my AWS Glue jobs on iceberg tables managed by AWS Lake Formation with hybrid access mode enabled, but I receive "not authorized to perform: s3:DeleteObject" errors. I have granted Lake Formation DELETE permissions and my Glue execution role has IAM s3:DeleteObject permissions, but the TRUNCATE operations still fail.

Short description

In Lake Formation hybrid access mode, credential vending only occurs when principals are explicitly opted-in. Without opt-in, Lake Formation intercepts S3 requests but doesn't provide temporary credentials, causing authorization failures even when IAM permissions are correctly configured. This article explains how to opt-in principals to enable credential vending and resolve TRUNCATE authorization errors.

Resolution

Understanding the root cause

When an S3 location is registered with Lake Formation in hybrid access mode, principals must be opted-in to use individual Lake Formation permissions and credential vending. However, the ALL permission has special bypass behavior that allows it to work without opt-in.

Lake Formation hybrid access mode supports two authorization paths:

IAM path (for non-opted-in principals): Uses IAM permissions only, but Lake Formation still intercepts S3 requests without providing credentials
Lake Formation path (for opted-in principals): Uses Lake Formation permissions with credential vending

When your Glue role is not opted-in, Lake Formation blocks S3 operations because the location is registered, but it doesn't provide the temporary credentials needed to access the data.

Authorization flow diagram:

                         Glue Job Executes TRUNCATE
                                   |
                                   v
              Is S3 location registered with Lake Formation?
                                   |
                              YES (Hybrid)
                                   |
                                   v
         Does table have IAMAllowedPrincipals group permissions?
                                   |
                   +---------------+---------------+
                   |                               |
                  NO                              YES
                   |                               |
                   v                               v
         Is principal opted-in?            Is principal opted-in?
                   |                                 |
           +-------+-------+                 +-------+-------+
           |               |                 |               |
          NO              YES               NO              YES
           |               |                 |               |
           v               v                 v               v
    Has ALL/Super    Has required        IAM PATH        Has required
    LF permission?   LF permissions?     (IsRegistered   LF permissions?
           |               |              =False)              |
       +---+---+       +---+---+         +---+---+        +---+---+
       |       |       |       |         |       |        |       |
      NO      YES     NO      YES       NO      YES      NO      YES
       |       |       |       |         |       |        |       |
       v       v       v       v         v       v        v       v
      ❌      ✅      ❌      ✅        ❌      ✅       ❌      ✅
     FAILS  SUCCESS FAILS  SUCCESS    FAILS  SUCCESS   FAILS  SUCCESS
            (ALL           (LF PATH)         (IAM)             (LF PATH)
            bypass)

Why TRUNCATE fails without opt-in:

Principal is not opted-in
Lake Formation directs to IAM path
Glue requests temporary S3 credentials from Lake Formation
Lake Formation checks: Is principal opted-in? Answer: NO
Lake Formation does not provide credentials
Glue attempts to use role's IAM S3 permissions
Lake Formation intercepts the S3 request (location is registered)
Access denied - Lake Formation expects its own credentials

Why TRUNCATE works with opt-in:

Principal is opted-in
Lake Formation enforces Lake Formation permissions
Lake Formation verifies DELETE permission is granted
Glue requests temporary S3 credentials from Lake Formation
Lake Formation checks: Principal opted-in? Location registered? Has DELETE permission?
All conditions met - credential vending occurs
Lake Formation generates temporary credentials with s3:DeleteObject
Glue uses temporary credentials to delete S3 objects
TRUNCATE succeeds

Prerequisites

Before proceeding, verify your configuration:

Confirm your S3 location is registered with Lake Formation in hybrid access mode
Verify your Glue execution role has Lake Formation DELETE permission on the table
Verify your Glue execution role has IAM s3:DeleteObject permission in its IAM policy

Solution: Opt-in your Glue execution role

Choose one of the following methods to opt-in your Glue execution role for hybrid access mode.

Method 1: Using the console checkbox (recommended)

Open the Lake Formation console
In the navigation pane, choose Tables
Select your table
Choose Grant
For IAM users and roles, select your Glue execution role
For Table permissions, select DELETE, INSERT, and SELECT etc.
Select the checkbox Make Lake Formation permissions effective immediately

Note: This checkbox opts-in the principal for hybrid access mode
Choose Grant

Method 2: Using the Hybrid access mode menu

Open the Lake Formation console
In the navigation pane, choose Hybrid access mode
Choose Opt-in principals
Choose Opt in principals
For IAM users and roles, select your Glue execution role
For Resources, select your database and tables
Choose Opt in

Method 3: Using the AWS CLI

Run the following command to opt-in your Glue execution role:

aws lakeformation create-lake-formation-opt-in \
  --principal DataLakePrincipalIdentifier=arn:aws:iam::ACCOUNT_ID:role/GLUE_ROLE_NAME \
  --resource '{
    "Table": {
      "CatalogId": "ACCOUNT_ID",
      "DatabaseName": "DATABASE_NAME",
      "Name": "TABLE_NAME"
    }
  }' \
  --region REGION

Note: Replace ACCOUNT_ID, GLUE_ROLE_NAME, DATABASE_NAME, TABLE_NAME, and REGION with your actual values.

Verify the opt-in status

To confirm your Glue role is opted-in, run:

aws lakeformation list-lake-formation-opt-ins \
  --principal DataLakePrincipalIdentifier=arn:aws:iam::ACCOUNT_ID:role/GLUE_ROLE_NAME \
  --region REGION

The output displays all resources for which the principal is opted-in.

Test the TRUNCATE command

Run your Glue job with the TRUNCATE command:

spark.sql("TRUNCATE TABLE database_name.table_name")

The command now succeeds because Lake Formation provides credential vending for opted-in principals.

Understanding credential vending

Credential vending in Lake Formation requires both conditions to be true:

S3 location is registered with Lake Formation
Principal is opted-in for hybrid access mode

When both conditions are met, Lake Formation generates temporary S3 credentials with the necessary permissions (s3:GetObject, s3:PutObject, s3:DeleteObject, s3:ListBucket) based on the Lake Formation permissions granted to the principal.

Why IAMAllowedPrincipals works (not recommended)

If you previously granted ALL permissions to the IAMAllowedPrincipals group and TRUNCATE worked, this is because IAMAllowedPrincipals completely bypasses Lake Formation authorization. However, this approach:

Bypasses Lake Formation governance
Removes centralized access control
Eliminates audit trails in Lake Formation
Defeats the purpose of using Lake Formation

For proper governance, use the opt-in approach instead of IAMAllowedPrincipals.

Additional considerations

For cross-account scenarios: When opting-in all tables in a database for cross-account grants, you must also opt-in the database itself for the permissions to work correctly.

For DATA_LOCATION permission: Principals require DATA_LOCATION permission on the S3 location to create tables or databases pointing to that location, regardless of opt-in status.

For cleaning up IAM policies: After opting-in principals, you can optionally remove S3 permissions from their IAM policies since Lake Formation provides credentials through credential vending.

Related information

Topics: Analytics
Tags: AWS Lake Formation AWS Glue Amazon Athena
Language: English

EXPERT

shubhranshu

published 2 months ago116 views

No comments

Relevant content

How do I resolve Python module installation failures in AWS Glue Python Shell jobs when using wheel files from Amazon S3 in a private VPC?
EXPERT
shubhranshu
published 3 months ago
How do I set up a Spark History Server locally to view AWS Glue job Spark UI logs without using Docker?
EXPERT
shubhranshu
published 2 months ago
Ingesting full load and CDC data from Delta Lake to Redshift using AWS Glue native features
EXPERT
RiteshKSinha
published a year ago
Lake Formation Governed tables: truncate and reload?
tjtoll
asked 4 years ago
Glue ETL DELETE on S3 Tables fails with 403 AccessDenied for certain predicates but works for others
yaniel
asked 2 months ago
AWS Glue Studio Job Failed An error occurred while calling o106.pyWriteDynamicFrame. Data truncation: Data too long for column [insertcolumnname] at row 1
rePost-User-9807118
asked 4 years ago
How do I run SQL commands on an Amazon Redshift table before or after writing data in an AWS Glue job?
AWS OFFICIALUpdated a year ago
How can I troubleshoot Lake Formation permission errors in AWS Glue?
AWS OFFICIALUpdated a year ago
How do I troubleshoot the "Command failed with exit code" error in AWS Glue?
AWS OFFICIALUpdated 5 years ago
How can I provide cross-account access to resources in the AWS Glue Data Catalog?
AWS OFFICIALUpdated 4 years ago