Trying to grant lake permissions via a Lambda Function. (Python 3.8) As far as I can see, I have my code as per documentation. Yet hitting a barrage of nonsense errors about parameters being incorrect. Could it be that I just need an optician ? Or is it some nuance or which way the Amazon wind blows today ?
import boto3
import json
from botocore.exceptions import ClientError
def main(event,context):
client = boto3.client('lakeformation')
response = client.grant_permissions(
Principal={
'DataLakePrincipalIdentifier': 'arn:aws:iam::123456789012:role/myRole'
},
Resource={
'Table': {
'DatabaseName': 'myDatabase',
'TableWildcard': {}
},
},
Permissions=['ALL'],
PermissionsWithGrantOption=['ALL']
)
======================================================================================
[ERROR] ParamValidationError: Parameter validation failed: Missing required parameter in Resource.Table: "Name" Unknown parameter in Resource.Table: "TableWildcard", must be one of: DatabaseName, Name Traceback (most recent call last): File "/var/task/main.py", line 10, in main response = client.grant_permissions( File "/var/runtime/botocore/client.py", line 316, in _api_call return self._make_api_call(operation_name, kwargs) File "/var/runtime/botocore/client.py", line 607, in _make_api_call request_dict = self._convert_to_request_dict( File "/var/runtime/botocore/client.py", line 655, in _convert_to_request_dict request_dict = self._serializer.serialize_to_request( File "/var/runtime/botocore/validate.py", line 297, in serialize_to_request raise ParamValidationError(report=report.generate_report())
I investigated the issue a bit. And the error is because on lambda, the definition of TableResoures is (note the missing TableWildcard on lambda):
"TableResource":{
"type":"structure",
"required":[
"DatabaseName",
"Name"
],
"members":{
"DatabaseName":{
"shape":"NameString",
"documentation":"<p>The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal. </p>"
},
"Name":{
"shape":"NameString",
"documentation":"<p>The name of the table.</p>"
}
},
"documentation":"<p>A structure for the table object. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal. </p>"
}
In contrast, the latest version on github has:
"TableResource":{
"type":"structure",
"required":["DatabaseName"],
"members":{
"CatalogId":{
"shape":"CatalogIdString",
"documentation":"<p>The identifier for the Data Catalog. By default, it is the account ID of the caller.</p>"
},
"DatabaseName":{
"shape":"NameString",
"documentation":"<p>The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal. </p>"
},
"Name":{
"shape":"NameString",
"documentation":"<p>The name of the table.</p>"
},
"TableWildcard":{
"shape":"TableWildcard",
"documentation":"<p>A wildcard object representing every table under a database.</p> <p>At least one of <code>TableResource$Name</code> or <code>TableResource$TableWildcard</code> is required.</p>"
}
}
Seems to me that this is some bug.