Granting Database Permissions (External Account) - AWS Lake Formation

Granting Database Permissions (External Account)

Follow these steps to grant AWS Lake Formation permissions on one or more databases to an external AWS account, organization, or organizational unit. By granting cross-account permissions on a database, you are automatically sharing that database.

You can grant permissions by using the Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).

Before You Begin

Ensure that all cross-account access prerequisites are satisfied. For more information, see Cross-Account Access Prerequisites.

To grant database permissions (external account, console)

  1. Open the AWS Lake Formation console at https://console.aws.amazon.com/lakeformation/, and sign in as a user who has the AWSLakeFormationCrossAccountManager AWS managed policy attached. This is one of the recommended policies for the data lake administrator, but any user can attach this policy to grant cross-account permissions.

  2. Do one of the following:

    • In the navigation pane, choose Data permissions, and then choose Grant.

    • In the navigation pane, choose Databases. Then on the Databases page, select a database, and on the Actions menu, under Permissions, choose Grant.

    Note

    You can grant permissions on a database through its resource link. To do so, on the Databases page, select a resource link, and on the Actions menu, choose Grant on target. To grant permissions on the resource link itself, see Granting Resource Link Permissions.

  3. In the Grant permissions dialog box, choose the External account tile.

  4. Provide the following information:

    • For AWS account ID or AWS organization ID, enter one or more valid AWS account IDs, organization IDs, or organizational unit IDs. Press Enter after each ID.

      An organization ID consists of "o-" followed by 10 to 32 lower-case letters or digits.

      An organizational unit ID consists of "ou-" followed by 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and 8 to 32 additional lowercase letters or digits.

    • If the Database field is present, select one or more databases in your AWS account.

    • For Database permissions, select the permissions that you want to grant, and ensure that the same permissions under Grantable permissions are selected.

      By selecting the grant option on the permissions, you enable the data lake administrator in the external account to grant permissions on the databases to other principals in the external account.

      You can grant any of the Lake Formation database permissions to other AWS accounts. Be sure to also grant cross-account data location permissions to the principals if the database has a location property defined. For more information, see Granting Data Location Permissions.

    
                In the Grant permissions dialog box, the External account radio button is
                  selected. An AWS account ID is supplied and the retail database is chosen as the
                  database to grant permissions on. The Create table permission and the Create table
                  grantable permission (check boxes) are selected.
  5. Choose Grant.

Note

If you grant the CREATE_TABLE or ALTER permissions on a database that has a location property that points to a registered location, be sure to also grant data location permissions on the location to the external account. For more information, see Granting Data Location Permissions.

To grant database permissions (external account, AWS CLI)

  • Enter commands similar to the following examples.

    • Grant CREATE_TABLE with the grant option on the database retail to account 1111-2222-3333.

      aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "CREATE_TABLE" --permissions-with-grant-option "CREATE_TABLE" --resource '{ "Database": {"Name":"retail"}}'
    • Grant ALTER with the grant option on the database issues to the organization o-abcdefghijkl.

      aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:organizations::111122223333:organization/o-abcdefghijkl --permissions "ALTER" --permissions-with-grant-option "ALTER" --resource '{ "Database": {"Name":"issues"}}'
Note

If you grant the CREATE_TABLE or ALTER permissions on a database that has a location property that points to a registered location, be sure to also grant data location permissions on the location to the external account. For more information, see Granting Data Location Permissions.