Unable to register read only roles within the same account as the dataset #1172
Comments
|
Hi @Leonkoithara, let me confirm I understand your issue. In step 1 you are referring to an IAM role with IAM permissions to read from S3. Then you either import that role as a team role or as a consumption role and the data.all ManagedS3 IAM policy grants READ and WRITE permissions to S3. I think you are correct, I will add this issue as a bug and we will assess it in 2.5. Thanks for opening an issue One last question, would you see value in having 2 types of shares: READ-ONLY and WRITE shares? |
|
I think this PR already scopes down the s3 permissions given to a role on a bucket share For any S3 Bucket Share now: S3 Bucket Policy gets updated - The above should enforce that for either cross account or same account sharing the requester role can only read from the target resource I will confirm the above with a quick test and report back |
|
I set up a same account share to a new requestor role (tested with both sharing S3 Bucket + Folder/AccessPoint) and can confirm that there is only read access with no write access for this role These changes were implemented as part of #1280 Closing this issue as implemented - please let us know if there is any additional comments or concerns |
Describe the bug
Since the attached dataall policy to the registered role gives full s3 permissions to the bucket it is not possible to register a read only role and request read permissions to the dataset.
How to Reproduce
Expected behavior
Expected behavior is an option to register a read only role, or allow request access to a dataset eventhough the role doesn't have a dataall managed policy.
Your project
No response
Screenshots
No response
OS
N/A
Python version
N/A
AWS data.all version
N/A
Additional context
No response
The text was updated successfully, but these errors were encountered: