Granting resource link permissions

Follow these steps to grant AWS Lake Formation permissions on one or more resource links to a principal in your AWS account.

After you create a resource link, only you can view and access it. (This assumes that Use only IAM access control for new tables in this database is not enabled for the database.) To permit other principals in your account to access the resource link, grant at least the DESCRIBE permission.

Important

Granting permissions on a resource link doesn't grant permissions on the target (linked) database or table. You must grant permissions on the target separately.

You can grant permissions by using the Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).

To grant resource link permissions (console)

Do one of the following:
- For database resource links, follow the steps in Granting database permissions using the Lake Formation console and the named resource method to do the following:
  1. Open the Grant Permissions page.
  2. Specify the databases. Specify one or more database resource links.
  3. Specify the principals.
- For table resource links, follow the steps in Granting table permissions using the Lake Formation console and the named resource method to do the following:
  1. Open the Grant permissions page.
  2. Specify the tables. Specify one or more table resource links.
  3. Specify the principals.
Under Permissions, select the permissions to grant. Optionally, select grantable permissions.
Choose Grant.

To grant resource link permissions (AWS CLI)

Run the grant-permissions command, specifying a resource link as the resource.

This example grants DESCRIBE to user datalake_user1 on the table resource link incidents-link in the database issues in AWS account 1111-2222-3333.


aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "DESCRIBE" --resource '{ "Table": {"DatabaseName":"issues", "Name":"incidents-link"}}'