From 8be48c59f1da746edb829c4fd04448f7222a5fe0 Mon Sep 17 00:00:00 2001 From: Veaceslav Mindru Date: Wed, 18 Oct 2023 11:01:48 +0200 Subject: [PATCH] Fixing missing permissions for proper QS functioning after deploy (#644) --- cfn-templates/cid-cfn.yml | 89 ++++++++++++++++++--------------------- 1 file changed, 40 insertions(+), 49 deletions(-) diff --git a/cfn-templates/cid-cfn.yml b/cfn-templates/cid-cfn.yml index e7de4d85..60aaace0 100644 --- a/cfn-templates/cid-cfn.yml +++ b/cfn-templates/cid-cfn.yml @@ -1010,75 +1010,66 @@ Resources: Statement: - Effect: Allow Action: + - lakeformation:GetDataAccess - athena:ListDataCatalogs - Resource: '*' # Cannot restrict this. See https://docs.aws.amazon.com/athena/latest/ug/datacatalogs-example-policies.html#datacatalog-policy-listing-data-catalogs - - - Effect: Allow - Action: - athena:ListDatabases - Resource: - - Fn::If: - - NeedDatabase - - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} - - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} - # - Effect: Allow - # Action: - # - athena:ListDatabases - # - athena:ListTableMetadata - # Resource: - # - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:datacatalog/${GlueDataCatalog}' + - athena:ListTableMetadata + Resource: "*" # required https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html + # Cannot restrict this. See https://docs.aws.amazon.com/athena/latest/ug/datacatalogs-example-policies.html#datacatalog-policy-listing-data-catalogs - Effect: Allow Action: + - glue:GetPartitions - glue:GetDatabases - Resource: - - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' - - Effect: Allow - Action: - glue:GetTable - - glue:GetPartitions + - glue:GetTables Resource: - - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' - - Fn::If: - - NeedDatabase - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} - - Fn::If: - - NeedDatabase - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/* - - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/* + - !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog' + - Fn::If: + - NeedDatabase + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} + - Fn::If: + - NeedDatabase + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/* + - !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/* - Effect: Allow Action: + - athena:ListDatabases + - athena:ListDataCatalogs + - athena:ListDatabases - athena:GetQueryExecution + - athena:GetQueryResults - athena:StartQueryExecution - athena:GetQueryResultsStream - - athena:GetQueryResults + - athena:ListTableMetadata Resource: - Fn::If: - - NeedAthenaWorkgroup - - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${MyAthenaWorkGroup}' - - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${AthenaWorkgroup}' + - Fn::If: + - NeedDatabase + - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase} + - !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName} + - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:datacatalog/${GlueDataCatalog}' + - Fn::If: + - NeedAthenaWorkgroup + - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${MyAthenaWorkGroup}' + - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${AthenaWorkgroup}' - Effect: Allow Action: - s3:GetBucketLocation - s3:ListBucket - Resource: - Fn::If: - - NeedAthenaQueryResultsBucket - - !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}' - - !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}' - - Effect: Allow - Action: - s3:GetObject - s3:PutObject + - s3:ListBucketMultipartUploads + - s3:ListMultipartUploadParts + - s3:AbortMultipartUpload Resource: - Fn::If: - - NeedAthenaQueryResultsBucket - - !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}/*' - - !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}/*' - - Effect: Allow - Action: - - lakeformation:GetDataAccess - Resource: "*" # required https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html + - Fn::If: + - NeedAthenaQueryResultsBucket + - !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}' + - !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}' + - Fn::If: + - NeedAthenaQueryResultsBucket + - !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}/*' + - !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}/*' QuickSightDataSourceRolePolicyForODCBucket: Type: AWS::IAM::Policy