cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

[AWS::LakeFormation::PrincipalPermissions] - [BUG] - Cannot grant Lake Formation permissions for S3Tables Catalog

Open nakamichiworks opened this issue 6 months ago • 0 comments

Name of the resource

AWS::LakeFormation::PrincipalPermissions

Resource Name

No response

Issue Description

Quote from: https://github.com/aws/aws-cdk/issues/34467

I got the following error when I tried to deploy CfnPrincipalPermissions construct.

...
8:19:34 PM | CREATE_FAILED        | AWS::LakeFormation::PrincipalPermissions | snowflakes3tablesl...ermissionsAE1D5D28
Properties validation failed for resource snowflakes3tableslakeformationpermissionstablepermissionsAE1D5D28 with message:
[#/Resource/Table/CatalogId: expected maxLength: 12, actual: 59]
Here’s how the construct is defined:

new lakeformation.CfnPrincipalPermissions(this, 'database-permissions', {
    principal: {
        dataLakePrincipalIdentifier: "<role-arn>",
    },
    permissions: ["ALL"],
    permissionsWithGrantOption: [],
    resource: {
        database: {
            catalogId: "<account-id>:s3tablescatalog/<s3-tables-bucket-name>",
            name: "<s3-tables-namespace>",
        }
    }
})

This seems that the error is caused by overly strict validation that assumes catalogId is given as 12-digit AWS account ID. However, catalog IDs for S3 tables catalog (:s3tablescatalog/) should also be accepted.

Expected Behavior

CatalogId should accept IDs of the form "<account-id>:s3tablescatalog/<s3-tables-bucket-name>".

Observed Behavior

CloudFormation only accepts 12-digit CatalogId.

Test Cases

LakeFormation resources with CatalogId: "<account-id>:s3tablescatalog/<s3-tables-bucket-name>" should be deployable.

Other Details

No response

nakamichiworks avatar May 16 '25 06:05 nakamichiworks