Associating a configured table to a collaboration
After you have created a configured table and added an analysis rule to it, you can associate it to a collaboration and give AWS Clean Rooms a service role to access your AWS Glue tables.
Note
This service role has permissions to the tables. The service role is assumable only by AWS Clean Rooms to run allowed queries on behalf of the member who can query. No collaboration members (other than the data owner) have access to the underlying tables in the collaboration. The data owner can turn on differential privacy to make their tables available for querying by other members.
Important
Before you associate the configured AWS Glue tables to the collaboration, the AWS Glue table
location must point to an Amazon Simple Storage Service (Amazon S3) folder and not to a single file. You can verify this
location by viewing the table in the AWS Glue console at https://console.aws.amazon.com/glue/
Note
If you have configured encryption in AWS Glue and created a service role, you must give that role access to use AWS KMS keys to decrypt AWS Glue tables.
If you associated a configured table that is backed by an AWS KMS-encrypted Amazon S3 dataset, you must give the role access to use the KMS key to decrypt Amazon S3 data.
For more information, see Setting up encryption in AWS Glue in the AWS Glue Developer Guide.
The following topics describe how to associate a configured table to a collaboration using the AWS Clean Rooms console:
Topics
For information about how to associate your configured tables to the collaboration using the AWS SDKs, see the AWS Clean Rooms API Reference.
Associate a configured table from the configured table detail page
To associate AWS Glue tables to the collaboration from the configured table detail page
-
Sign in to the AWS Management Console and open the AWS Clean Rooms console
with your AWS account (if you haven't yet done so). -
In the left navigation pane, choose Configured tables.
-
Choose the configured table.
-
On the configured table detail page, choose Associate to collaboration.
-
For the Associate table to collaboration dialog box, choose the Collaboration from the dropdown list.
-
Choose Choose collaboration.
On the Associate table page, the name of the configured table you chose appears under the Choose configured table section.
-
For Choose configured table, do the following:
If you want to... Then ... Configure a new table Choose Configure table and follow the prompts on the Configure table page. View the schema and analysis rule for the configured table Turn on View schema and analysis rule. -
Specify the Service access permissions by selecting either Create and use a new service role or Use an existing service role.
If you choose... Then ... Create and use a new service role -
AWS Clean Rooms creates a service role with the required policy for this table.
-
The default Service role name is
cleanrooms-<timestamp> -
You must have permissions to create roles and attach policies.
-
If your input data is encrypted, you can select This data is encrypted with a KMS key and then enter an AWS KMS key that will be used to decrypt your data input.
Use an existing service role -
Choose an Existing service role name from the dropdown list.
The list of roles are displayed if you have permissions to list roles.
If you don't have permissions to list roles, you can enter the Amazon Resource Name (ARN) of the role that you want to use.
-
View the service role by choosing the View in IAM external link.
If there are no existing service roles, the option to Use an existing service role is unavailable.
By default, AWS Clean Rooms doesn't attempt to update the existing role policy to add necessary permissions.
-
(Optional) Select the Add a pre-configured policy with necessary permissions to this role check box to add attach necessary permissions to the role. You must have permissions to modify roles and create policies.
Note
-
AWS Clean Rooms requires permissions to query according to the analysis rules. For more information about permissions for AWS Clean Rooms, see AWS managed policies for AWS Clean Rooms.
-
If the role doesn’t have sufficient permissions for AWS Clean Rooms, you receive an error message stating that the role doesn't have sufficient permissions for AWS Clean Rooms. The role policy must be added before proceeding.
-
If you can’t modify the role policy, you receive an error message stating that AWS Clean Rooms could not find the policy for the service role.
-
-
If you want to enable Tags for the configured table association resource, choose Add new tag and then enter the Key and Value pair.
-
Choose Associate table.
Associate a configured table from the collaboration detail page
To associate AWS Glue tables to the collaboration from the collaboration detail page
-
Sign in to the AWS Management Console and open the AWS Clean Rooms console
with your AWS account (if you haven't yet done so). -
In the left navigation pane, choose Collaborations.
-
Choose the collaboration.
-
On the Tables tab, choose Associate table.
-
For Choose configured table, do the following:
If you want to... Then ... Choose an existing configured table Choose the Configured table name that you want to associate with the collaboration from the dropdown list. Configure a new table Choose Configure table and follow the prompts on the Configure table page. View the schema and analysis rule for the configured table Turn on View schema and analysis rule. -
For Table association details,
-
Enter a Name for the associated table.
You can use the default name or rename this table.
-
(Optional) Enter a Description of the table.
The description helps with writing queries.
-
-
Specify the Service access permissions by selecting either Create and use a new service role or Use an existing service role.
If you choose... Then ... Create and use a new service role -
AWS Clean Rooms creates a service role with the required policy for this table.
-
The default Service role name is
cleanrooms-<timestamp>. -
You must have permissions to create roles and attach policies.
-
If your input data is encrypted, you can select This data is encrypted with a KMS key and then enter an AWS KMS key that will be used to decrypt your data input.
Use an existing service role -
Choose an Existing service role name from the dropdown list.
The list of roles are displayed if you have permissions to list roles.
If you don't have permissions to list roles, you can enter the Amazon Resource Name (ARN) of the role that you want to use.
-
View the service role by choosing the View in IAM external link.
If there are no existing service roles, the option to Use an existing service role is unavailable.
By default, AWS Clean Rooms doesn't attempt to update the existing role policy to add necessary permissions.
-
(Optional) Select the Add a pre-configured policy with necessary permissions to this role check box to add attach necessary permissions to the role. You must have permissions to modify roles and create policies.
Note
-
AWS Clean Rooms requires permissions to query according to the analysis rules. For more information about permissions for AWS Clean Rooms, see AWS managed policies for AWS Clean Rooms.
-
If the role doesn’t have sufficient permissions for AWS Clean Rooms, you receive an error message stating that the role doesn't have sufficient permissions for AWS Clean Rooms. The role policy must be added before proceeding.
-
If you can’t modify the role policy, you receive an error message stating that AWS Clean Rooms couldn't find the policy for the service role.
-
-
If you want to enable Tags for the configured table association resource, choose Add new tag and then enter the Key and Value pair.
-
Choose Associate table.
Next steps
Now that you associated your configured data table to the collaboration, you are ready to:
-
Add a collaboration analysis rule to the configured table
-
Edit the collaboration, if you're the collaboration creator
-
Query the data tables (as a member who can query)
