Lake Formation Tag-Based Access Control Cross-Account Prerequisites - AWS Lake Formation

Lake Formation Tag-Based Access Control Cross-Account Prerequisites

Before you can use the Lake Formation tag-based access control (LF-TBAC) method to grant cross-account access to Data Catalog resources, you must add the following JSON permissions object to your AWS Glue Data Catalog resource policy. You must add this code for each AWS account that you are granting permissions to.

To add this code, you can use the Settings page on the AWS Glue console, or the glue:PutResourcePolicy API operation.

Replace <recipient-account-id> with the account ID of the AWS account receiving the grant, <region> with the Region of the Data Catalog containing the databases and tables that you are granting permissions on, and <account-id> with your AWS account ID.

{ "Effect": "Allow", "Action": [ "glue:*" ], "Principal": { "AWS": [ "<recipient-account-id>" ] }, "Resource": [ "arn:aws:glue:<region>:<account-id>:table/*", "arn:aws:glue:<region>:<account-id>:database/*", "arn:aws:glue:<region>:<account-id>:catalog" ], "Condition": { "Bool": { "glue:EvaluatedByLakeFormationTags": true } } }
Note

All code in the resource policy must be within a Statement.

{ "Version": "2012-10-17", "Statement": [] }
Important

If you are currently also granting cross-account permissions by using the named resource method, you must set the EnableHybrid argument to 'true' when you invoke the glue:PutResourcePolicy API operation. For more information, see Managing Cross-Account Permissions Using Both AWS Glue and Lake Formation.