Granting database permissions using the AWS CLI and the named resources method - AWS Lake Formation

Granting database permissions using the AWS CLI and the named resources method

You can grant database permissions by using the named resource method and the AWS Command Line Interface (AWS CLI).

To grant database permissions using the AWS CLI

  • Run a grant-permissions command, and specify a database or the Data Catalog as the resource, depending on the permission being granted.

    In the following examples, replace <account-id> with a valid AWS account ID.

    Example – Grant to create a database

    This example grants CREATE_DATABASE to user datalake_user1. Because the resource on which this permission is granted is the Data Catalog, the command specifies an empty CatalogResource structure as the resource parameter.

    aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::<account-id>:user/datalake_user1 --permissions "CREATE_DATABASE" --resource '{ "Catalog": {}}'
    Example – Grant to create tables in a designated database

    The next example grants CREATE_TABLE on the database retail to user datalake_user1.

    aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::<account-id>:user/datalake_user1 --permissions "CREATE_TABLE" --resource '{ "Database": {"Name":"retail"}}'
    Example – Grant to an external AWS account with the Grant option

    The next example grants CREATE_TABLE with the grant option on the database retail to external account 1111-2222-3333.

    aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "CREATE_TABLE" --permissions-with-grant-option "CREATE_TABLE" --resource '{ "Database": {"Name":"retail"}}'
    Example – Grant to an organization

    The next example grants ALTER with the grant option on the database issues to the organization o-abcdefghijkl.

    aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:organizations::111122223333:organization/o-abcdefghijkl --permissions "ALTER" --permissions-with-grant-option "ALTER" --resource '{ "Database": {"Name":"issues"}}'
    Example - Grant to ALLIAMPrincipals in the same account

    The next example grants CREATE_TABLE permission on the database retail to all principals in the same account. This option enables every principal in the account to create a table in the database and create a table resource link allowing integrated query engines to access shared databases and tables. This option is especially useful when a principal receives a cross-account grant, and does not have the permission to create resource links. In this scenario, the data lake administrator can create a placeholder database and grant CREATE_TABLE permission to the ALLIAMPrincipal group, enabling every IAM principal in the account to create resource links in the placeholder database. 

    aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333:IAMPrincipals --permissions "CREATE_TABLE"  --resource '{ "Database": {"Name":"temp","CatalogId":"111122223333"}}'
    Example - Grant to ALLIAMPrincipals in an external account

    The next example grants CREATE_TABLE on the database retail to all principals in an external account. This option enables every principal in the account to create a table in the database.

    aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333:IAMPrincipals --permissions "CREATE_TABLE"  --resource '{ "Database": {"Name":"retail","CatalogId":"123456789012"}}'
Note

After granting CREATE_TABLE or ALTER on a database that has a location property that points to a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see Granting data location permissions.

See also