Granting and revoking permissions on Data Catalog resources - AWS Lake Formation

Granting and revoking permissions on Data Catalog resources

You can grant Data Catalog permissions to principals in AWS Lake Formation so that the principals can create and manage Data Catalog resources, and can access underlying data.

You can grant Data Catalog permissions on both metadata databases and metadata tables. When you grant permissions on tables, you can limit access to specific table columns for even more fine-grained access control.

You can grant permissions on individual tables, or with a single grant operation, you can grant permissions on all tables in a database. If you grant permissions on all tables in a database, you are implicitly granting the DESCRIBE permission on the database. The database then appears on the Databases page on the console, and is returned by the GetDatabases API operation.

You can grant permissions by using either the named resource method or the Lake Formation tag-based access control (LF-TBAC) method.

You can grant permissions to principals in the same AWS account or to external accounts or organizations. When you grant to external accounts or organizations, you are sharing resources that you own with those accounts or organizations. Principals in those accounts or organizations can then access Data Catalog resources that you own and the underlying data.

Note

Currently, the LF-TBAC method supports granting cross-account permissions to IAM principals, AWS accounts, AWS Organizations, and organizational units (OUs).

When you grant permissions to external accounts or organizations, you must include the grant option. Only the data lake administrator in the external account can access the shared resources until the administrator grants permissions on the shared resources to other principals in the external account.

You can grant Data Catalog permissions by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).