Merge pull request #116 from degoldner/bugfix/missing-env-group-permi…

…ssions Add missing permissions for group role
data-dot-all · Aug 24, 2022 · 7eabba7 · 7eabba7
2 parents 03df865 + 95a0429
commit 7eabba7
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/backend/dataall/cdkproxy/stacks/policies/service_policy.py b/backend/dataall/cdkproxy/stacks/policies/service_policy.py
@@ -49,6 +49,11 @@ def generate_policies(self) -> [aws_iam.ManagedPolicy]:
         from .cloudformation import Cloudformation
 
         policies: [aws_iam.ManagedPolicy] = [
+            # This policy covers the minumum actions required independent
+            # of the service permissions given to the group.
+            # The 'glue:GetTable', 'glue:GetPartitions' and
+            # 'lakeformation:GetDataAccess' actions are additionally
+            # required for the Worksheet/Athena feature.
             aws_iam.ManagedPolicy(
                 self.stack,
                 self.id,
@@ -59,6 +64,9 @@ def generate_policies(self) -> [aws_iam.ManagedPolicy]:
                             'athena:ListEngineVersions',
                             'athena:ListDataCatalogs',
                             'athena:ListWorkGroups',
+                            'glue:GetTable',
+                            'glue:GetPartitions',
+                            'lakeformation:GetDataAccess',
                             'kms:Decrypt',
                             'kms:DescribeKey',
                             'kms:Encrypt',