AWS Lake Formation: (AccessDeniedException) when calling the GetTable operation: Insufficient Lake Formation permission(s) on table

Question

I have implemented LakeFormation on my data bucket.

I have a step function in which one step consists of running a GlueJob that reads and writes to the data catalog.

I have upgraded my DataLake permissions as reported here.

The Service Role that runs my Step Function has a root-type policy (granted just for debugging this issue):

        Statement:
          - Effect: "Allow"
            Action: 
              - "*"
            Resource: 
              - "*"   

On lake formation the service role has:

• Administrator Rights
• Database Creation rights (and Grantable)
• Data Location access to the entire bucket (and Grantable)
• Super rights on read and write Database (and Grantable)
• Super rights on ALL tables within above Databases (and Grantable).

The bucket is not encrypted.

But, somehow, its access to the tables is denied with the error:

(AccessDeniedException) when calling the GetTable operation: Insufficient Lake Formation permission(s) on table

What's really strange is that the Glue Job succeeds when writing to some tables, and fails on others. And there is no real substantial difference across tables: all of them are under the same S3 prefix, parquet files, partitioned on the same key.

Given the abundance of permissions granted, I am really clueless about what is causing the error.

Please, send help.

Answer 1

I had the same error. This is how I solved.

Go to AWS Lake Formation in the console.

Then from the Permissions in the drop down menu, click on Data lake permissions. Find the principal you are using for your operation. Check if the principal has access to your database. Also check if your Resource type is "Database" NOT "Catalog".

To change the resource type to "Database":

1- Go to Data catalog -> Databases

2- Click on the database you operate on

3- Right top, click on Actions -> View Permissions

4- Choose your principle, then click on Grant

5- Use Named data catalog resources

6- Choose your database from the drop down menu

7- LEAVE tables drop down menu EMPTY. I was choosing "All Tables" when I had the error.

8- Select super for database permissions then click on grant.

Once it's working, you can always change the granularity of your permission. Hope it works.