The Error " No privilege to this kms operation" Is Displayed When a Table in an OBS Encrypted Bucket Is Queried

Symptom

When you query a table in an encrypted OBS bucket, the error "No privilege to this kms operation" is displayed.

Procedure

To solve this problem, you need to create a custom policy and add it to lakeformation_admin_trust.

1. Create a custom policy.
   1. Log in to the IAM console.
   2. In the navigation pane on the left, choose Permissions > Policies/Roles.
   3. Create the lakeformation_kms_permission policy. (If a policy with the same permissions already exists, skip this step.)
      Click Create Custom Policy. Set the parameters as follows and click OK.

      • Policy Name: Enter a policy name, for example, lakeformation_kms_permission.
      • Policy View: Select JSON.
      • Policy Content: Enter the following content:

        {
            "Version": "1.1",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "kms:dek:encrypt",
                        "kms:cmk:create",
                        "kms:cmk:decrypt",
                        "kms:dek:create",
                        "kms:cmk:encrypt",
                        "kms:dek:crypto",
                        "kms:dek:decrypt"
                    ]
                }
            ]
        }

      • Description: Enter "The necessary permissions for lakeformation service to access encrypted obs file system, KMS related permission."

2. Add the created policies to lakeformation_admin_trust.
   1. In the navigation pane of the IAM console, choose Agencies. On the displayed page, search for lakeformation_admin_trust and click Authorize in the Operation column.

      

   2. Search for and select the custom permission policy (for example, lakeformation_kms_permission) created in Step 1 and click Next.

      

   3. On the Select Scope page, retain the default settings and click OK.

      Wait for 15 to 30 minutes for the new permissions to take effect.