Troubleshooting Lake Formation - AWS Lake Formation

Troubleshooting Lake Formation

If you encounter issues when working with AWS Lake Formation, consult the topics in this section.

General Troubleshooting

Use the information here to help you diagnose and fix various Lake Formation issues.

Error: "Insufficient encryption key permissions for Glue API"

An attempt was made to grant Lake Formation permissions without AWS Identity and Access Management (IAM) permissions on the AWS KMS encryption key for an encrypted Data Catalog.

My Amazon Athena or Amazon Redshift query that uses manifests is failing

Lake Formation does not support queries that use manifests.

Troubleshooting Cross-Account Access

Use the information here to help you diagnose and fix cross-account access issues.

I granted a cross-account Lake Formation permission but the recipient can't see the resource

  • Is the user in the recipient account a data lake administrator? Only data lake administrators can see the resource at the time of sharing.

  • Are you sharing with an account external to your organization? If so, the data lake administrator of the recipient account must accept a resource share invitation in AWS Resource Access Manager (AWS RAM).

    For more information, see Accepting a Resource Share Invitation from AWS RAM.

  • Are you using account-level (Data Catalog) resource policies in AWS Glue? If yes, then you must include a special statement that authorizes AWS RAM to share policies on your behalf.

    For more information, see Managing Cross-Account Permissions Using Both AWS Glue and Lake Formation.

  • Do you have the AWS Identity and Access Management (IAM) permissions required to grant cross-account access?

    For more information, see Cross-Account Access Prerequisites.

  • The resource that you've granted permissions on must not have any Lake Formation permissions granted to the IAMAllowedPrincipals group.

  • Is there a deny statement on the resource in the account-level policy?

Error: "Not authorized to grant permissions for the resource"

An attempt was made to grant cross-account permissions on a database or table that is owned by another account. When a database or table is shared with your account, as a data lake administrator, you can grant permissions on it only to users in your account.

Error: "Access denied to retrieve AWS Organization information"

Your account is an AWS Organizations management account and you do not have the required permissions to retrieve organization information, such as organizational units in the account.

For more information, see Required permissions for cross-account grants.

Error: "Organization <organization-ID> not found"

An attempt was made to share a resource with an organization, but sharing with organizations is not enabled. Enable resource sharing with organizations.

For more information, see Enable Sharing with AWS Organizations in the AWS RAM User Guide.

Error: "Insufficient Lake Formation permissions: Illegal combination"

A user shared a Data Catalog resource while Lake Formation permissions were granted to the IAMAllowedPrincipals group for the resource. The user must revoke all Lake Formation permissions from IAMAllowedPrincipals before sharing the resource.

Troubleshooting Blueprints and Workflows

Use the information here to help you diagnose and fix blueprint and workflow issues.

My blueprint failed with "User: <user-ARN> is not authorized to perform: iam:PassRole on resource: <role-ARN>"

An attempt was made to create a blueprint by a user who does not have sufficient permissions to pass the chosen role.

Update the user’s IAM policy to be able to pass the role, or ask the user to choose a different role with the required passrole permissions.

For more information, see Lake Formation Personas and IAM Permissions Reference.

My workflow failed with "User: <user-ARN> is not authorized to perform: iam:PassRole on resource: <role-ARN>"

The role that you specified for the workflow did not have an inline policy allowing the role to pass itself.

For more information, see Create an IAM Role for Workflows.

A crawler in my workflow failed with "Resource does not exist or requester is not authorized to access requested permissions"

One possible cause is that the passed role did not have sufficient permissions to create a table in the target database. Grant the role the CREATE_TABLE permission on the database.

A crawler in my workflow failed with "An error occurred (AccessDeniedException) when calling the CreateTable operation..."

One possible cause is that the workflow role did not have data location permissions on the target storage location. Grant data location permissions to the role.

For more information, see DATA_LOCATION_ACCESS.