Granting Database Permissions (Same Account) - AWS Lake Formation

Granting Database Permissions (Same Account)

You can grant Data Catalog permissions on databases by using the AWS Lake Formation console, API, or AWS Command Line Interface (AWS CLI).

To grant database permissions (console, same account)

  1. Open the AWS Lake Formation console at https://console.aws.amazon.com/lakeformation/, and sign in as a data lake administrator or database creator.

    A database creator is a principal who has already been granted the permission to create databases.

  2. Do one of the following:

    • In the navigation pane, choose Data permissions. Then choose Grant.

    • In the navigation pane, choose Databases. Then, on the Databases page, select a database, and on the Actions menu, under Permissions, choose Grant.

    Note

    You can grant permissions on a database through its resource link. To do so, on the Databases page, select a resource link, and on the Actions menu, choose Grant on target. To grant permissions on the resource link itself, see Granting Resource Link Permissions.

  3. In the Grant permissions dialog box, ensure that the My account tile is selected. Then provide the following information:

    • For IAM users and roles, choose one or more principals.

    • For SAML and Amazon QuickSight users and groups, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML or ARNs for Amazon QuickSight users or groups.

      Enter one ARN at a time, and press Enter after each ARN. For information about how to construct the ARNs, see Lake Formation Grant and Revoke AWS CLI Commands.

      Note

      Lake Formation integration with Amazon QuickSight is supported for Amazon QuickSight Enterprise Edition only.

    • If the Database field is present, choose the database to grant permissions on.

    • For Database permissions, select the permissions that you want to grant.

    • (Optional) For Grantable permissions, select the permissions that you want the principal to be able to grant to others.

    
                In the Grant Permissions dialog box, the user datalake_user and the database
                  retail are selected. The permissions CREATE_TABLE and ALTER are being
                  granted.
  4. Choose Grant.

Note

After granting CREATE_TABLE or ALTER on a database that has a location property that points to a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see Granting Data Location Permissions.

To grant database permissions (AWS CLI, same account)

  • Run a grant-permissions command, specifying a metadata database or the Data Catalog as the resource, depending on the permission being granted.

    In the following examples, replace <account-id> with a valid AWS account ID.

    This example grants CREATE_DATABASE to user datalake_user1. Because the resource on which this permission is granted is the Data Catalog, the command specifies an empty CatalogResource structure as the resource parameter.

    aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::<account-id>:user/datalake_user1 --permissions "CREATE_DATABASE" --resource '{ "Catalog": {}}' --profile datalake_admin

    The profile option indicates that the command should be run as user datalake_admin. This assumes that the config and credentials files in the requester's ~/.aws directory contain profiles for user datalake_admin. For more information, see AWS CLI Configuration Variables in the AWS CLI Command Reference.

    The next example grants CREATE_TABLE on the database retail to user datalake_user1.

    aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::<account-id>:user/datalake_user1 --permissions "CREATE_TABLE" --resource '{ "Database": {"Name":"retail"}}' --profile datalake_admin

    For more examples, see Lake Formation Permissions Reference.

Note

After granting CREATE_TABLE or ALTER on a database that has a location property that points to a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see Granting Data Location Permissions.