Hi, I am trying to create Glue database and grant permissions on it in Lake Formation. I tried several ways and several IAM roles and policies based on the documentation but every time I get Insufficient Lake Formation permission(s): Required Create Database on Catalog
. The code is pretty much straightforward and when I define permissions in Lake Formations I specify ALL
value. Does anyone have an idea what is missing in the code?
class ExampleStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
custom_data_bucket_arn = "arn:aws:s3:::transformed-v5"
s3_location = "s3://transformed-v5"
bucket_name = "transformed-v5"
glue_role = cdk.aws_iam.Role(self, "glue_role",
assumed_by=cdk.aws_iam.ServicePrincipal('glue.amazonaws.com'),
managed_policies= [
cdk.aws_iam.ManagedPolicy.from_managed_policy_arn(self, 'MyCrawlerGlueRole',
managed_policy_arn='arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole'
)
]
)
glue_role.add_to_policy(cdk.aws_iam.PolicyStatement(actions=['s3:*', 'lakeformation:GetDataAccess', "lakeformation:GrantPermissions"], effect=cdk.aws_iam.Effect.ALLOW, resources=['*']))
glue_role.add_to_policy(cdk.aws_iam.PolicyStatement(actions=["iam:PassRole"], effect=cdk.aws_iam.Effect.ALLOW, resources=['arn:aws:iam::xxxxxxx:role/{}'.format(glue_role.role_name)]))
glue_db=cdk.aws_glue.CfnDatabase(self, "MyDatabase",
catalog_id=cdk.Aws.ACCOUNT_ID,
database_input=cdk.aws_glue.CfnDatabase.DatabaseInputProperty(
name = "datalake-v5",
location_uri = s3_location
)
)
cdk.aws_glue.CfnCrawler(self, "datalake-crawler",
database_name= "datalake-v5",
role=glue_role.role_arn,
schedule={"scheduleExpression":"cron(0/15 * * * ? *)"},
targets={"s3Targets": [{"path": bucket_name}]},
)
location_resource = cdk.aws_lakeformation.CfnResource(self,
"MyDatalakeLocationResource",
resource_arn= custom_data_bucket_arn,
use_service_linked_role=True
)
cdk.aws_lakeformation.CfnPermissions(self, "MyDatalakeDatabasePermission",
data_lake_principal=cdk.aws_lakeformation.CfnPermissions.DataLakePrincipalProperty(data_lake_principal_identifier=glue_role.role_arn),
resource=cdk.aws_lakeformation.CfnPermissions.ResourceProperty(database_resource=cdk.aws_lakeformation.CfnPermissions.DatabaseResourceProperty(name="datalake-v5")),
permissions=["ALL"],
permissions_with_grant_option=["ALL"]
)
location_permission = cdk.aws_lakeformation.CfnPermissions(self, "MyDatalakeLocationPermission",
data_lake_principal=cdk.aws_lakeformation.CfnPermissions.DataLakePrincipalProperty(data_lake_principal_identifier=glue_role.role_arn),
resource=cdk.aws_lakeformation.CfnPermissions.ResourceProperty(data_location_resource=cdk.aws_lakeformation.CfnPermissions.DataLocationResourceProperty(s3_resource=custom_data_bucket_arn)),
permissions=["DATA_LOCATION_ACCESS"]
)
location_permission.add_dependency(location_resource)
Thank you!