Granting Database Permissions Using the Lake Formation Console and the Named Resource Method - AWS Lake Formation

Granting Database Permissions Using the Lake Formation Console and the Named Resource Method

The following steps explain how to grant database permissions by using the named resource method and the Grant Permissions page on the Lake Formation console. The page is divided into the following sections:

  • Principals – The users, roles, AWS accounts, organizations, or organizational units to grant permissions to.

  • Policy tags or catalog resources – The databases, tables, or resource links to grant permissions on.

  • Permissions – The Lake Formation permissions to grant.

Note

To grant permissions on a database resource link, see Granting Resource Link Permissions.

Open the Grant Permissions Page

  1. Open the AWS Lake Formation console at https://console.aws.amazon.com/lakeformation/, and sign in as a data lake administrator, the database creator, or a user who has been granted Lake Formation permissions on the database with the grant option.

  2. Do one of the following:

    • In the navigation pane, choose Data permissions. Then choose Grant.

    • In the navigation pane, choose Databases. Then, on the Databases page, choose a database, and on the Actions menu, under Permissions, choose Grant.

    Note

    You can grant permissions on a database through its resource link. To do so, on the Databases page, choose a resource link, and on the Actions menu, choose Grant on target. For more information, see How Resource Links Work in Lake Formation.

Specify the Principals

In the Principals section, choose a principal type and then specify principals to grant permissions to.


                  The Principals section contains three tiles that are named in the
                     following text. Each tile contains a option button and text. The IAM users and
                     roles tile is selected, and an IAM users and roles dropdown list is below the
                     tiles.
IAM users and roles

Choose one or more users or roles from the IAM users and roles list.

SAML users and groups

For SAML and Amazon QuickSight users and groups, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Amazon QuickSight users or groups. Press Enter after each ARN.

For information about how to construct the ARNs, see Lake Formation Grant and Revoke AWS CLI Commands.

Note

Lake Formation integration with Amazon QuickSight is supported for Amazon QuickSight Enterprise Edition only.

External accounts

For AWS account or AWS organization, enter one or more valid AWS account IDs, organization IDs, or organizational unit IDs. Press Enter after each ID.

An organization ID consists of "o-" followed by 10–32 lower-case letters or digits.

An organizational unit ID starts with "ou-" followed by 4–32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and 8 to 32 additional lowercase letters or digits.

Specify the Databases

In the Policy tags or catalog resources section, choose one or more databases to grant permissions on.

  1. Choose Named data catalog resources.

    
                        The Policy tags or catalog resources section contains two tiles
                           arranged horizontally, where each tile contains an option button and
                           descriptive text. The options are Resources matched by policy tags, and
                           Named data catalog resources. Below the tiles are two dropdown lists:
                           Database and Table. The Database dropdown list has a tile beneath it
                           containing the selected database name.
  2. Choose one or more databases from the Database list.

Specify the Permissions

In the Permissions section, select permissions and grantable permissions.


                  The Permissions section contains two tiles, arranged horizontally. Each
                     tile contains a option button and text. The Database permissions tile is
                     selected. The other tile, Column-based permissions, is disabled, because it
                     relates to table permissions. Below the tiles is a group of check boxes for
                     database permissions to grant. Check boxes include Create Table, Alter, Drop,
                     Describe, and Super. Below that group is another group of the same check boxes
                     for grantable permissions.
  1. Under Database permissions, select one or more permissions to grant.

    Note

    After granting Create Table or Alter on a database that has a location property that points to a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see Granting Data Location Permissions.

  2. (Optional) Under Grantable permissions, select the permissions that the grant recipient can grant to other principals in their AWS account.

  3. Choose Grant.