Hi i am using aws terrafrom provider trying to automate this Manage access to Resource link tables - Amazon Connect from the UI it works no issue . but when i try to grant on target table with SELECT permissoin using terraform on then it fails. to note these target tables provided by amazon and we have no control over them. and terraform gets an error with permissions as below.
i am trying to understand how can this work from the UI but not work in Terraform. what i am missing here is this a limitation with terraform? . thanks for the help in advance.
aws = {
source = “hashicorp/aws”
}
resource “aws_lakeformation_permissions” “resource_link_describe” {
catalog_id = 11111111 #account where the resource link resides
table {
database_name = db
name = “contact_record”
}
principal = “arn:aws:quicksight:ap-southeast-2:11111111111:group/default/admin”
permissions = [“DESCRIBE”]
}
#THIS FAILS
resource “aws_lakeformation_permissions” “resource_link_permissions” {
catalog_id = “2222222222” # account where the target table resides
table {
database_name = db # of target
name = “contact_record” # of target
}
principal = “arn:aws:quicksight:ap-southeast-2:11111111111:group/default/admin”
#Grant SELECT
permissions = [“SELECT”]
}
########################
Error: creating Lake Formation Permissions (input: &{[SELECT] 0xc00273c680 0xc002721540 0xc00273c6c0 {}}): creating Lake Formation Permissions: operation error LakeFormation: GrantPermissions, https response error StatusCode: 400, RequestID: d0abdbb1-1a8b-46e4-9f12-c82a0572cea2, api error AccessDeniedException: User: arn:aws:sts::xxxxxx:assumed-role/xxxxxx/xxxxxx is not authorized to perform: lakeformation:GrantPermissions on resource: arn:aws:lakeformation:ap-southeast-2:2222222:catalog:2222222222 because no resource-based policy allows the lakeformation:GrantPermissions action
│
│ with module.xxxx[0].module.lakeformation.aws_lakeformation_permissions.resource_link_permissions,
│ on modules/xxxx/lakeformation/lakeform.tf line 102, in resource “aws_lakeformation_permissions” “resource_link_permissions”:
│ 102: resource “aws_lakeformation_permissions” “resource_link_permissions” {