From 799361f619a6ccd0e4cb3fd45cb5f0c01ff1a05f Mon Sep 17 00:00:00 2001 From: Noah Paige Date: Fri, 14 Jul 2023 15:35:53 -0400 Subject: [PATCH] Add Glue Resource Policy Permissions for cross account share requests --- backend/dataall/cdkproxy/stacks/pivot_role.py | 4 +++- deploy/pivot_role/pivotRole.yaml | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/backend/dataall/cdkproxy/stacks/pivot_role.py b/backend/dataall/cdkproxy/stacks/pivot_role.py index 22fa577b1..c0b157f4a 100644 --- a/backend/dataall/cdkproxy/stacks/pivot_role.py +++ b/backend/dataall/cdkproxy/stacks/pivot_role.py @@ -171,7 +171,7 @@ def _create_dataall_policy0(self, env_resource_prefix: str) -> iam.ManagedPolicy ], resources=[f'arn:aws:s3:*:{self.account}:accesspoint/*'], ), - # Glue - needed to handle databases and tables + # Glue - needed to handle databases and tables and cross-account shares iam.PolicyStatement( sid='GlueCatalog', effect=iam.Effect.ALLOW, @@ -193,6 +193,8 @@ def _create_dataall_policy0(self, env_resource_prefix: str) -> iam.ManagedPolicy 'glue:UpdatePartition', 'glue:UpdateTable', 'glue:TagResource', + 'glue:DeleteResourcePolicy', + 'glue:PutResourcePolicy', ], resources=['*'], ), diff --git a/deploy/pivot_role/pivotRole.yaml b/deploy/pivot_role/pivotRole.yaml index c30b32375..3a4ce3243 100644 --- a/deploy/pivot_role/pivotRole.yaml +++ b/deploy/pivot_role/pivotRole.yaml @@ -140,6 +140,8 @@ Resources: - 'glue:UpdatePartition' - 'glue:UpdateTable' - 'glue:TagResource' + - 'glue:DeleteResourcePolicy' + - 'glue:PutResourcePolicy' Effect: Allow Resource: '*' - Sid: GlueETL