Skip to content

Commit

Permalink
Fixing missing permissions for proper QS functioning after deploy (#644)
Browse files Browse the repository at this point in the history
  • Loading branch information
@vmindru
vmindru committed Oct 18, 2023
1 parent ba5e878 commit 8be48c5
Showing 1 changed file with 40 additions and 49 deletions.
89 changes: 40 additions & 49 deletions cfn-templates/cid-cfn.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1010,75 +1010,66 @@ Resources:
Statement:
- Effect: Allow
Action:
- lakeformation:GetDataAccess
- athena:ListDataCatalogs
Resource: '*' # Cannot restrict this. See https://docs.aws.amazon.com/athena/latest/ug/datacatalogs-example-policies.html#datacatalog-policy-listing-data-catalogs

- Effect: Allow
Action:
- athena:ListDatabases
Resource:
- Fn::If:
- NeedDatabase
- !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase}
- !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName}
# - Effect: Allow
# Action:
# - athena:ListDatabases
# - athena:ListTableMetadata
# Resource:
# - !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:datacatalog/${GlueDataCatalog}'
- athena:ListTableMetadata
Resource: "*" # required https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html
# Cannot restrict this. See https://docs.aws.amazon.com/athena/latest/ug/datacatalogs-example-policies.html#datacatalog-policy-listing-data-catalogs
- Effect: Allow
Action:
- glue:GetPartitions
- glue:GetDatabases
Resource:
- !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog'
- Effect: Allow
Action:
- glue:GetTable
- glue:GetPartitions
- glue:GetTables
Resource:
- !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog'
- Fn::If:
- NeedDatabase
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase}
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName}
- Fn::If:
- NeedDatabase
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/*
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/*
- !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog'
- Fn::If:
- NeedDatabase
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase}
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName}
- Fn::If:
- NeedDatabase
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/*
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/*
- Effect: Allow
Action:
- athena:ListDatabases
- athena:ListDataCatalogs
- athena:ListDatabases
- athena:GetQueryExecution
- athena:GetQueryResults
- athena:StartQueryExecution
- athena:GetQueryResultsStream
- athena:GetQueryResults
- athena:ListTableMetadata
Resource:
Fn::If:
- NeedAthenaWorkgroup
- !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${MyAthenaWorkGroup}'
- !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${AthenaWorkgroup}'
- Fn::If:
- NeedDatabase
- !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase}
- !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName}
- !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:datacatalog/${GlueDataCatalog}'
- Fn::If:
- NeedAthenaWorkgroup
- !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${MyAthenaWorkGroup}'
- !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${AthenaWorkgroup}'
- Effect: Allow
Action:
- s3:GetBucketLocation
- s3:ListBucket
Resource:
Fn::If:
- NeedAthenaQueryResultsBucket
- !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}'
- !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}'
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
- s3:ListBucketMultipartUploads
- s3:ListMultipartUploadParts
- s3:AbortMultipartUpload
Resource:
Fn::If:
- NeedAthenaQueryResultsBucket
- !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}/*'
- !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}/*'
- Effect: Allow
Action:
- lakeformation:GetDataAccess
Resource: "*" # required https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html
- Fn::If:
- NeedAthenaQueryResultsBucket
- !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}'
- !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}'
- Fn::If:
- NeedAthenaQueryResultsBucket
- !Sub 'arn:${AWS::Partition}:s3:::${MyAthenaQueryResultsBucket}/*'
- !Sub 'arn:${AWS::Partition}:s3:::${AthenaQueryResultsBucket}/*'

QuickSightDataSourceRolePolicyForODCBucket:
Type: AWS::IAM::Policy
Expand Down

0 comments on commit 8be48c5

Please sign in to comment.