diff --git a/backend/dataall/modules/s3_datasets/cdk/pivot_role_datasets_policy.py b/backend/dataall/modules/s3_datasets/cdk/pivot_role_datasets_policy.py index ea3e8bbb8..ceca1767b 100644 --- a/backend/dataall/modules/s3_datasets/cdk/pivot_role_datasets_policy.py +++ b/backend/dataall/modules/s3_datasets/cdk/pivot_role_datasets_policy.py @@ -58,9 +58,7 @@ def get_statements(self): 'glue:GetPartition', 'glue:GetPartitions', 'glue:GetCatalogImportStatus', - 'glue:ListDatabases', - 'glue:ListTables', - 'glue:ListPartitions', + 'glue:GetTags', 'glue:SearchTables', 'glue:UpdateDatabase', 'glue:UpdatePartition', @@ -70,9 +68,9 @@ def get_statements(self): 'glue:PutResourcePolicy', ], resources=[ - f'arn:aws:glue:*:{self.account}:catalog', - f'arn:aws:glue:*:{self.account}:database/*', - f'arn:aws:glue:*:{self.account}:table/*/*', + 'arn:aws:glue:*:*:catalog', + 'arn:aws:glue:*:*:database/*', + 'arn:aws:glue:*:*:table/*/*', ], ), # Manage LF permissions for glue databases @@ -111,12 +109,12 @@ def get_statements(self): 'lakeformation:DeleteObjectsOnCancel', ], resources=[ - f'arn:aws:lakeformation:{self.region}:{self.account}:catalog', - f'arn:aws:lakeformation:{self.region}:{self.account}:catalog:{self.account}', - f'arn:aws:lakeformation:{self.region}:{self.account}:database/*', - f'arn:aws:lakeformation:{self.region}:{self.account}:table/*/*', - f'arn:aws:lakeformation:{self.region}:{self.account}:data-location/*', - f'arn:aws:lakeformation:{self.region}:{self.account}:lf-tag/*', + f'arn:aws:lakeformation:{self.region}:*:catalog', + f'arn:aws:lakeformation:{self.region}:*:catalog:*', + f'arn:aws:lakeformation:{self.region}:*:database/*', + f'arn:aws:lakeformation:{self.region}:*:table/*/*', + f'arn:aws:lakeformation:{self.region}:*:data-location/*', + f'arn:aws:lakeformation:{self.region}:*:lf-tag/*', ], ), # Glue ETL - needed to start crawler and profiling jobs