From 5968b73c7537f14f1030a87ca2b3aab3edac00cc Mon Sep 17 00:00:00 2001
From: Noah Paige <69586985+noah-paige@users.noreply.github.com>
Date: Mon, 17 Jul 2023 03:20:53 -0400
Subject: [PATCH] Add Glue Resource Policy Permissions for cross account share
 requests (#579)

### Feature or Bugfix
- Feature
- Bugfix

### Detail
- For cross-account shares of data all tables using LF named resources
and RAM for share invitations we require `glue:PutResourcePolicy` and
`glue:DeleteResourcePolicy` permissions for the pivotRoles handling
management of RAM share invitations
- Without the above permissions - the sharing of tables cross-account to
other data.all environments failed with a similar error to the
following:

```
Failed granting principal arn:aws:iam::ACCOUNT_A:role/TARGET_ROLE read access to resource link on target
ACCOUNT_B://GLUE_DB/TABLE_NAME due to: An error occurred (AccessDeniedException) when calling the
GrantPermissions operation: Insufficient Glue permissions to access table TABLE_NAME
```

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
---
 backend/dataall/cdkproxy/stacks/pivot_role.py | 4 +++-
 deploy/pivot_role/pivotRole.yaml              | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/backend/dataall/cdkproxy/stacks/pivot_role.py b/backend/dataall/cdkproxy/stacks/pivot_role.py
index 22fa577b1..c0b157f4a 100644
--- a/backend/dataall/cdkproxy/stacks/pivot_role.py
+++ b/backend/dataall/cdkproxy/stacks/pivot_role.py
@@ -171,7 +171,7 @@ def _create_dataall_policy0(self, env_resource_prefix: str) -> iam.ManagedPolicy
                     ],
                     resources=[f'arn:aws:s3:*:{self.account}:accesspoint/*'],
                 ),
-                # Glue - needed to handle databases and tables
+                # Glue - needed to handle databases and tables and cross-account shares
                 iam.PolicyStatement(
                     sid='GlueCatalog',
                     effect=iam.Effect.ALLOW,
@@ -193,6 +193,8 @@ def _create_dataall_policy0(self, env_resource_prefix: str) -> iam.ManagedPolicy
                         'glue:UpdatePartition',
                         'glue:UpdateTable',
                         'glue:TagResource',
+                        'glue:DeleteResourcePolicy',
+                        'glue:PutResourcePolicy',
                     ],
                     resources=['*'],
                 ),
diff --git a/deploy/pivot_role/pivotRole.yaml b/deploy/pivot_role/pivotRole.yaml
index c30b32375..3a4ce3243 100644
--- a/deploy/pivot_role/pivotRole.yaml
+++ b/deploy/pivot_role/pivotRole.yaml
@@ -140,6 +140,8 @@ Resources:
               - 'glue:UpdatePartition'
               - 'glue:UpdateTable'
               - 'glue:TagResource'
+              - 'glue:DeleteResourcePolicy'
+              - 'glue:PutResourcePolicy'
             Effect: Allow
             Resource: '*'
           - Sid: GlueETL