Fix for Cross Account Resource Link Permissions

[arjunp99]

Branch: fix-cross-account-resource-link-permissions

File: backend/dataall/modules/s3_datasets/cdk/pivot_role_datasets_policy.py
Commit: cce0a50f - "Fix for cross account permissions and also to remove incorrect permissions"

---

Changes Made

1. GlueCatalog Policy Statement - Cross-Account Fix

Original (Incorrect - Account-Specific):

resources=[
    f'arn:aws:glue:*:{self.account}:catalog',
    f'arn:aws:glue:*:{self.account}:database/*',
    f'arn:aws:glue:*:{self.account}:table/*/*',
]

** Updated (Fixed - Cross-Account Support):

resources=[
    'arn:aws:glue:*:*:catalog',
    'arn:aws:glue:*:*:database/*',
    'arn:aws:glue:*:*:table/*/*'
]

2. LakeFormation Policy Statement - Cross-Account Fix

Updated (Fixed - Cross-Account Support):

resources=[
    f'arn:aws:lakeformation:{self.region}:*:catalog',
    f'arn:aws:lakeformation:{self.region}:*:catalog:*',
    f'arn:aws:lakeformation:{self.region}:*:database/*',
    f'arn:aws:lakeformation:{self.region}:*:table/*/*',
    f'arn:aws:lakeformation:{self.region}:*:data-location/*',
    f'arn:aws:lakeformation:{self.region}:*:lf-tag/*'
]

4. Removed Incorrect Glue Actions

Removed / Updated Permissions:

• 'glue:GetTags' → Added in updated version
• 'glue:ListDatabases' → Removed (redundant/incorrect)
• 'glue:ListTables' → Removed (redundant/incorrect)
• 'glue:ListPartitions' → Removed (redundant/incorrect)

Key Improvements

This fix enables the pivot role to work with cross-account resources by:

• Allowing access to Glue catalogs, databases, and tables across all accounts (* instead of {self.account}
• Enabling Lake Formation permissions across accounts for proper data governance
• Removing redundant Glue list permissions that were causing policy bloat

[TejasRGitHub]

+1

[TejasRGitHub]

Incorrect synctax.

Incorrect syntax

[TejasRGitHub]

+1