Impossible to revoke permissions from multiple tables with LakeFormation CLI


I noticed the first problem: LakeFormation permission console is not displaying any permission of a table when I filtered its database. However, when I followed the database section and then "view tables" I could see that all the tables had the column "Lake Formation permissions enforced for" set to "Others", that is, LakeFormation was not being enforced and IAMAllowedPrincipals were still active for theses tables. To verify this I checked a single table then -> "Actions" -> "Permissions: View", and surprisingly the "IAMAllowedPrincipals" and other ones were shown in the permission list! However they do not display when filtering by its database. Since the database has multiple tables it is impossible to remove on by one, so I tried the CLI of lakeformation to remove first all "IAMAllowedPrincipals" permission from all tables. However when I try to use the command "revoke-permissions" from the CLI:

aws lakeformation revoke-permissions --principal "{\"DataLakePrincipalIdentifier\": \"IAM_ALLOWED_PRINCIPALS\"}" --resource "{\"Table\": {\"DatabaseName\": \"sharepoint-bronze\", \"TableWildcard\": {}}}" --permissions "[\"ALL\"]" --region sa-east-1

I get the response:

An error occurred (InvalidInputException) when calling the RevokePermissions operation: Grant on table wildcard is not allowed

The documentation is also very confusing or not complete for the wildcard section:

TableWildcard -> (structure)

A wildcard object representing every table under a database.

At least one of TableResource$Name or TableResource$TableWildcard is required.

So I'm stuck with two bugs now

asked 3 months ago210 views
1 Answer

If there are too many permissions, client side filtering might have not loaded all permissions. If you see option to navigate to next pages on the top right, try navigating to see if it loads any permissions.

Regarding revoking permissions to 'IAM_ALLOWED_PRINCIPALS' on all tables in the database, you will have to run a BatchRevokePermissions[1] API. RevokePermissions[2] can only revoke one permission grant.

TableWildcard refers to a construct called 'ALL_TABLES'. Grant on 'ALL_TABLES' is one grant permission that helps apply the same permissions to all tables in a database. This helps avoid making GrantPermissions calls for each table if you are looking to share all tables in a database.

Suppose you have permissions granted to an IAM principal on each table separately, then you will have to make RevokePermissions API call for each of those grants. Here we cannot use TableWildcard.

From what I understand here, each table has a permission granted to 'IAM_ALLOWED_PRINCIPALS', therefore you will have to call RevokePermissions on each and every table. You can also consider using BatchRevokePermissions.

If there are too many permissions to be revoked, I would recommend doing it programmatically - first using ListPermissions[3] or GetTables[4] (if you know all tables have this permission and need to be revoked) to list resources, then use RevokePermissions[5] or BatchRevokePermissions[6].

[1] [2] [3] [4] [5] [6]

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions