-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to access Glue tables with data.all dataset role due to KMS:decrypt permission not found #1210
Comments
Hi @TejasRGitHub I understand the issue and it is not surprising for more strict KMS keys that remove the For example we could add the statement upon import and re-check during shares. Similar to |
Hi @dlpzx , Thanks for taking a look at this issue. As a quick measure we have updated our docs. For a long term solution, if we add the dataset admin role explicitly to the KMS policy ( like how it is done for created dataset where the KMS policy is created during the stack creation phase and then a SID "EnableDatasetIAMRoleKeyUsage" with permissions is added allowing dataset admin role to access KMS key ) then this should solve the problem. As this cannot be done via CDK for imported KMS keys during the Another way would be to do the update by assuming the pivot Role and then adding a statement in KMS policy for dataset admin role to have access. This could be done during the Please let me knw your thoughts on this one |
Hi @TejasRGitHub I am picking up this issue, that as you pointed out, is trickier than it looks. We should add an statement that grants permissions to the If we want to use the dataallPivotRole with SDK calls:
From a logical perspective, any action on the dataset KMS key should happen in the deployment of the dataset, not of the environment. But if we add a I am thinking of avoiding using the dataallpivotRole completely and using some sort of custom resource with the CDK exec role. I need to do some research Let me think about it, because I am not convinced by the solutions proposed yet |
Hi @dlpzx , thanks a lot for taking a look at this issue. I was of the view that For now, we have found out an internal solution for mitigating this issue. Although, not needed rightnow we could certainly take a look at this in the future releases when we have a concrete solution. I think it will be helpful if data.all can work with super restrictive policies ( as the one mentioned in this GH issue ). |
Describe the bug
When importing a dataset, if the KMS key used for the S3 bucket doesn't not have the :root access then the importing dataset fails. Solution for this is to explicitly specify the dataallPivotRole-cdk and give necessary permissions for importing the dataset.
After this the dataset is imported successfully but when trying to query glue tables with Athena using the dataset role, following error is thrown
com.amazonaws.services.s3.model.AmazonS3Exception: User: arn:aws:sts::<AWS_ACCOUNT>:assumed-role/dataall-<dataset_name>-<URI>/<> is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:us-east-1:<KMS_KEY> because no resource-based policy allows the kms:Decrypt action
This is due to the following,
When a dataset is imported , it is registered with dataset role in Lake formation. Whenever querying through lake formation, Lake formation provides temporary S3 credentials through this role. Since this role doesn't have permission to the KMS key the following error is thrown.
How to Reproduce
{ "Sid": "KMSPivotRolePermissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::AWS_ACCOUNT_ID:role/dataallPivotRole-cdk" }, "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey*", "kms:PutKeyPolicy", "kms:GetKeyPolicy", "kms:ReEncrypt*", "kms:TagResource", "kms:UntagResource" ], "Resource": "*" }
Expected behavior
Querying with Athena should work even when dataset is imported with a KMS key which doesn't have the :root access.
In such cases, explicitly add permissions to the KMS keys for the dataset role which is registered with lake formation.
Your project
No response
Screenshots
No response
OS
Mac
Python version
3.9
AWS data.all version
2.3
Additional context
No response
The text was updated successfully, but these errors were encountered: