Hi all!
For the consumer account, I don't know which policies should be applied for Lakeformation.
This error pops up when I apply too many policies on this account:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:GetDataLakeSettings" ], "Resource": "*" } ] }
File "C:\Users\Anaconda3\lib\site-packages\data_mesh_util\DataMeshAdmin.py", line 381, in _initialize_account_as self._automator.assert_is_data_lake_admin( File "C:\Users\64324\Anaconda3\lib\site-packages\data_mesh_util\lib\ApiAutomator.py", line 668, in assert_is_data_lake_admin raise Exception(f"Principal {principal} is not Data Lake Admin") Exception: Principal arn:aws:iam::[ACCOUNT_ID]:user/Consumer is not Data Lake Admin
However, when I apply too little policies (removing the above policy), another error pops up:
botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the GetDataLakeSettings operation: User: arn:aws:iam::[ACCOUNT_ID]:user/AwsDataMesh/DataMeshProducer is not authorized to perform: lakeformation:GetDataLakeSettings on resource: arn:aws:lakeformation:us-east-1:[ACCOUNT_ID]:catalog:[ACCOUNT_ID] because no identity-based policy allows the lakeformation:GetDataLakeSettings action
Even when I use the DataMeshProducer user generated by the DataMeshManager I get this (second) error. And when I manually add lakeformation:GetDataLakeSettings to the permissions of my user, the first error returns.
Could you help me getting the right policy structure for the consumer account in this repo?
Kind regards,
Tom
Hi all!
For the consumer account, I don't know which policies should be applied for Lakeformation.
This error pops up when I apply too many policies on this account:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:GetDataLakeSettings" ], "Resource": "*" } ] }File "C:\Users\Anaconda3\lib\site-packages\data_mesh_util\DataMeshAdmin.py", line 381, in _initialize_account_as self._automator.assert_is_data_lake_admin( File "C:\Users\64324\Anaconda3\lib\site-packages\data_mesh_util\lib\ApiAutomator.py", line 668, in assert_is_data_lake_admin raise Exception(f"Principal {principal} is not Data Lake Admin") Exception: Principal arn:aws:iam::[ACCOUNT_ID]:user/Consumer is not Data Lake AdminHowever, when I apply too little policies (removing the above policy), another error pops up:
botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the GetDataLakeSettings operation: User: arn:aws:iam::[ACCOUNT_ID]:user/AwsDataMesh/DataMeshProducer is not authorized to perform: lakeformation:GetDataLakeSettings on resource: arn:aws:lakeformation:us-east-1:[ACCOUNT_ID]:catalog:[ACCOUNT_ID] because no identity-based policy allows the lakeformation:GetDataLakeSettings actionEven when I use the DataMeshProducer user generated by the DataMeshManager I get this (second) error. And when I manually add lakeformation:GetDataLakeSettings to the permissions of my user, the first error returns.
Could you help me getting the right policy structure for the consumer account in this repo?
Kind regards,
Tom