Cross-Account Access Prerequisites - AWS Lake Formation

Cross-Account Access Prerequisites

Before your AWS account can share Data Catalog databases and tables (Data Catalog resources), and before you can access resources shared with your account, the following prerequisites must be met:

  • If you're currently using an AWS Glue Data Catalog resource policy and you want to grant cross-account permissions using Lake Formation, you must either remove the policy or add new permissions to it that are required for cross-account grants. For more information, see Managing Cross-Account Permissions Using Both AWS Glue and Lake Formation.

  • Before granting cross-account permissions on a Data Catalog resource, you must revoke all Lake Formation permissions from the IAMAllowedPrincipals group for the resource. For more information, see Revoking Data Catalog Permissions (Same Account).

  • For Data Catalog databases that contain tables that you intend to share, you must prevent new tables from having a default grant of Super to IAMAllowedPrincipals. On the Lake Formation console, edit the database and turn off Use only IAM access control for new tables in this database. Or, enter the following AWS CLI command, replacing <database> with the name of the database.

    aws glue update-database --name <database> --database-input '{"Name":"<database>","CreateTableDefaultPermissions":[]}'

    Also, for databases where you want external accounts to create tables, ensure that this setting is off.

  • If you want to share Data Catalog resources with your organization or organizational units, sharing with organizations must be enabled in AWS RAM.

    For information on how to enable sharing with organizations, see Enable Sharing with AWS Organizations in the AWS RAM User Guide.

    You must have the ram:EnableSharingWithAwsOrganization permission to enable sharing with organizations.

  • You can't grant cross-account access to a database or table that is encrypted—that was created in an encrypted Data Catalog—if you don't have permissions on the Data Catalog encryption key.

  • Users who want to grant cross-account permissions must have the required AWS Identity and Access Management (IAM) permissions on AWS Glue and the AWS Resource Access Manager (AWS RAM) service. Lake Formation uses AWS RAM to share Data Catalog resources.

    The AWS managed policy AWSLakeFormationCrossAccountManager enables a user to share Data Catalog resources across accounts and with organizations and organizational units.

    Data lake administrators in accounts that receive shared resources must have the following additional policy. It allows the administrator to accept AWS RAM resource share invitations. It also allows the administrator to enable resource sharing with organizations.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ram:AcceptResourceShareInvitation", "ram:RejectResourceShareInvitation", "ec2:DescribeAvailabilityZones", "ram:EnableSharingWithAwsOrganization" ], "Resource": "*" } ] }
  • There is an additional requirement when you use an AWS Glue crawler to crawl an Amazon S3 location in another account and save the resulting tables in a database in the other account. The S3 bucket must have a bucket policy that grants permissions on the bucket to the crawler role.