Granting Resource Link Permissions - AWS Lake Formation

Granting Resource Link Permissions

Follow these steps to grant AWS Lake Formation permissions on one or more resource links to a principal in your AWS account.

After you create a resource link, only you can view and access it. (This assumes that Use only IAM access control for new tables in this database is not enabled for the database.) To permit other principals in your account to access the resource link, grant the DESCRIBE or DROP permissions.

Important

Granting permissions on a resource link doesn't grant permissions on the target (linked) database or table. You must grant permissions on the target separately.

You can grant permissions by using the Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).

To grant resource link permissions (console)

  1. Open the AWS Lake Formation console at https://console.aws.amazon.com/lakeformation/, and sign in as a data lake administrator, resource link creator, or user who has been granted permissions with the grant option on the resource link.

  2. In the navigation pane, choose Data permissions.

  3. Choose Grant.

  4. In the Grant permissions dialog box, ensure that the My account tile is selected. Then provide the following information:

    • For IAM users and roles, choose one or more principals.

    • For SAML and Amazon QuickSight users and groups, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML or ARNs for Amazon QuickSight users or groups.

      Enter one ARN at a time, and press Enter after each ARN. For information about how to construct the ARNs, see Lake Formation Grant and Revoke AWS CLI Commands.

    • For Database, choose the database that contains the resource links.

      The tables list populates.

    • For Table, choose one or more resource links.

    • For Resource link permissions, select the permissions that you want to grant.

    • (Optional) For Grantable permissions, select the permissions that you want the principal to be able to grant to others.

    
                In the Grant Permissions dialog box, the radio button "My account" is
                  selected. A principal, database, and resource link are specified, and the
                  permission DESCRIBE is being granted.
  5. Choose Grant.

To grant resource link permissions (AWS CLI)

  • Run the grant-permissions command, specifying a resource link as the resource.

    This example grants DESCRIBE to user datalake_user1 on the table resource link incidents-link in the database issues in AWS account 1111-2222-3333.

    aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "DESCRIBE" --resource '{ "Table": {"DatabaseName":"issues", "Name":"incidents-link"}}'