Accessing the Underlying Data of a Shared Table - AWS Lake Formation

Accessing the Underlying Data of a Shared Table

Assume that AWS account A shares a Data Catalog table with account B—for example, by granting SELECT with the grant option on the table to account B. For a principal in account B to be able to read the shared table's underlying data, the following conditions must be met:

  • The data lake administrator in account B must accept the share. (This isn't necessary if accounts A and B are in the same organization.)

  • The data lake administrator must re-grant to the principal the Lake Formation SELECT permission that account A granted on the shared table.

  • The principal must have the following IAM permissions on the table, the database that contains it, and the account A Data Catalog.

    Note

    In the following IAM policy:

    • Replace <account-id-A> with the AWS account ID of account A.

    • Replace <region> with a valid Region.

    • Replace <database> with the name of the database in account A that contains the shared table.

    • Replace <table> with the name of the shared table.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition", "glue:GetDatabase", "glue:GetDatabases" ], "Resource": [ "arn:aws:glue:<region>:<account-id-A>:table/<database>/<table>", "arn:aws:glue:<region>:<account-id-A>:database/<database>", "arn:aws:glue:<region>:<account-id-A>:catalog" ] }, { "Effect": "Allow", "Action": [ "lakeformation:GetDataAccess" ], "Resource": [ "arn:aws:lakeformation:<region>:<account-id-A>:catalog:<account-id-A>" ], "Condition": { "StringEquals": { "lakeformation:GlueARN":"arn:aws:glue:<region>:<account-id-A>:table/<database>/<table>" } } } ] }