By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lake Formation (AWS Cloudtrail) bluprint can’t reach the IAM role used in data lake locations and data locations

0

An IAM role was created to provide the access to S3 and lake formation as per Requirements for roles used to register locations, also trust relationship was verified and Cloudtrail, S3, lake formation are all in the same region. Actually not even the service-linked roles for Lake Formation appears in the drop-down list for choosing the IAM role.

The data lake locations and data locations were properly configured using the IAM role mentioned above. However; when trying to setup a lake formation (aws cloudtrail) blueprint the IAM role cannot be selected from the drop-down list, only limited list of IAM roles from other services appears.

No specific policies or configurations were found to enable the IAM role to appear in the allowed IAM roles to be chosen.

Topics
Security, Identity, & ComplianceAnalyticsManagement & Governance
Tags
AWS Identity and Access ManagementAWS Lake FormationAWS CloudTrailIAM Policies
Language
English
Santiago
asked 3 months ago329 views
2 Answers
1

When dealing with AWS Lake Formation blueprints, especially those related to AWS CloudTrail, it's important to ensure that the IAM role you are trying to use is correctly configured and meets the requirements.

Verify IAM Role Trust Relationship

{
  "Effect": "Allow",
  "Principal": {
    "Service": [
      "lakeformation.amazonaws.com"
    ]
  },
  "Action": "sts:AssumeRole"
}

Verify the IAM Role policies

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudtrail:PutObject",
                "cloudtrail:CreateTrail",
                "cloudtrail:StartLogging"
                // Add other necessary permissions
            ],
            "Resource": "*"
        }
    ]
}

Make sure AWS CloudTrail is configured properly and is logging events to an S3 bucket. The IAM role used by Lake Formation should have the necessary permissions to interact with CloudTrail events.Ensure that AWS CloudTrail, S3, and Lake Formation are all in the same AWS region.Sometimes, the AWS Management Console might not reflect the latest changes immediately. Try refreshing your browser or logging out and logging back into the AWS Management Console to ensure that you are working with the latest information If the issue persists and you've gone through the above steps, consider reaching out to AWS Support for more detailed assistance. They can help investigate the issue specific to your AWS account and region

Hope it clarifies and if does I would appreciate answer to be accepted so that community can benefit for clarity, thanks ;)

profile picture
EXPERT
Adeleke Adebowale J
answered 3 months ago
0

Thank you Debolek, I did a thorough review of every action you mentioned above and unfortunately, it didn't work. I'll be in contact with AWS support team. Cheers

Santiago
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content