Cross-account access prerequisites - AWS Lake Formation

Cross-account access prerequisites

Before your AWS account can share Data Catalog databases and tables (Data Catalog resources), and before you can access resources shared with your account, the following prerequisites must be met:

  • If you're currently using an AWS Glue Data Catalog resource policy and you want to grant cross-account permissions using the named resource method, you must either remove the policy or add new permissions to it that are required for cross-account grants. If you intend to use the Lake Formation tag-based access control (LF-TBAC) method, you must have a Data Catalog resource policy that enables LF-TBAC. For more information, see Managing cross-account permissions using both AWS Glue and Lake Formation and Lake Formation tag-based access control cross-account prerequisites.

  • Before granting cross-account permissions on a Data Catalog resource, you must revoke all Lake Formation permissions from the IAMAllowedPrincipals group for the resource.

  • For Data Catalog databases that contain tables that you intend to share, you must prevent new tables from having a default grant of Super to IAMAllowedPrincipals. On the Lake Formation console, edit the database and turn off Use only IAM access control for new tables in this database. Or, enter the following AWS CLI command, replacing <database> with the name of the database.

    aws glue update-database --name <database> --database-input '{"Name":"<database>","CreateTableDefaultPermissions":[]}'

    Also, for databases where you want external accounts to create tables, ensure that this setting is off.

  • If you want to use the named resources method to share Data Catalog resources with your organization or organizational units, sharing with organizations must be enabled in AWS RAM.

    For information on how to enable sharing with organizations, see Enable Sharing with AWS Organizations in the AWS RAM User Guide.

    You must have the ram:EnableSharingWithAwsOrganization permission to enable sharing with organizations.

  • You can't grant cross-account access to a database or table that is encrypted—that was created in an encrypted Data Catalog—if you don't have permissions on the Data Catalog encryption key.

  • Users who want to use the named resources method to grant cross-account permissions must have the required AWS Identity and Access Management (IAM) permissions on AWS Glue and the AWS Resource Access Manager (AWS RAM) service. The AWS managed policy AWSLakeFormationCrossAccountManager grants the required permissions.

    Data lake administrators in accounts that receive resources that were shared with the named resource method must have the following additional policy. It allows the administrator to accept AWS RAM resource share invitations. It also allows the administrator to enable resource sharing with organizations.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ram:AcceptResourceShareInvitation", "ram:RejectResourceShareInvitation", "ec2:DescribeAvailabilityZones", "ram:EnableSharingWithAwsOrganization" ], "Resource": "*" } ] }
  • The account receiving the cross-account share must have the glue:PutResourcePolicy permission to accept the AWS RAM resource share invitation.

  • There is an additional requirement when you use an AWS Glue crawler to crawl an Amazon S3 location in another account and save the resulting tables in a database in the other account. The S3 bucket must have a bucket policy that grants permissions on the bucket to the crawler role.