Troubleshooting AWS Lake Formation permissions for Amazon DataZone

This section contains troubleshooting instructions for issues that you might encounter when you Configure Lake Formation permissions for Amazon DataZone.

Error message in the Data Portal	Resolution
Unable to assume the Data Access Role.	This error is displayed when Amazon DataZone is unable to assume the AmazonDataZoneGlueDataAccessRole that you used to enable the DefaultDataLakeBlueprint in your account. To fix the issue, go to the AWS IAM console in the account where your data asset exists and make sure that the AmazonDataZoneGlueDataAccessRole has the right trust relationship with the Amazon DataZone service principal. For more information, see AmazonDataZoneGlueAccess-<region>-<domainId>
The Data Access Role does not have the necessary permissions to read the metadata of the asset you are trying to subscribe.	This error is displayed when Amazon DataZone successfully assumes the AmazonDataZoneGlueDataAccessRole role, but the role does not have the necessary permissions. To fix the issue, go to the AWS IAM console in the account where your data asset exists and make sure that the role has the AmazonDataZoneGlueManageAccessRolePolicy attached it. For more information, see AmazonDataZoneGlueAccess-<region>-<domainId>.
Asset is a resource link. Amazon DataZone does not support subscriptions to resource links.	This error is displayed when the asset you are trying to publish to Amazon DataZone is a resource link to an AWS Glue table.
Asset is not managed by AWS Lake Formation.	This error indicates that the AWS Lake Formation permissions are not enforced on the asset that you want to publish. This can happen in the following cases. The Amazon S3 location of the asset is not registered in AWS Lake Formation. To fix the issue, log into your AWS Lake Formation console in the account where the table exists and register the Amazon S3 location either in AWS Lake Formation mode or Hybrid mode. For more information, see Registering an Amazon S3 location. There are several scenarios that require further modifications. These include encrypted AmazonS3 buckets or a cross-account S3 bucket and an AWS Glue Catalog setup. In such cases, modifications in KMS and/or S3 settings may be necessary. For more information, see Registering an encrypted Amazon S3 location. The Amazon S3 location is registered in AWS Lake Formation mode but IAMAllowedPrincipal is added to the table's permissions. To fix the issue, you can either remove the IAMAllowedPrincipal from the table's permissions or register the S3 location in Hybrid mode. For more information, see About upgrading to the Lake Formation permissions model. If your S3 location is encrypted or the S3 location is in a different accout than than your AWS Glue table, follow the instructions in Registering an encrypted Amazon S3 location.
Data Access role does not have necessary Lake Formation permissions to grant access to this asset.	This error indicates that the AmazonDataZoneGlueDataAccessRole that you are using to enable the DefaultDataLakeBlueprint in your account does not have the necessary permissions for Amazon DataZone to manage permissions on the published asset. You can resolve the issue by either adding the AmazonDataZoneGlueDataAccessRole as the AWS Lake Formation administrator or by granting the following permissions to the AmazonDataZoneGlueDataAccessRole on the asset that you want to publish. Describe and Describe grantable permissions on the database where the asset exist Describe, Select, Describe Grantable, Select Grantable permissions on the all the assets in the database the acecss to which you wanto Amazon DataZone to manage on your behalf.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Troubleshooting

Troubleshooting Amazon DataZone lineage asset linking with upstream datasets