Granting Data Location Permissions - AWS Lake Formation

Granting Data Location Permissions

Data location permissions in AWS Lake Formation enable principals to create and alter Data Catalog resources that point to designated registered Amazon S3 locations. Data location permissions work in addition to Lake Formation data permissions to secure information in your data lake.

When granting data location permissions to principals in your account, you are permitting those principals to use the CREATE_TABLE, ALTER, and DROP commands on Data Catalog databases that point to the location, provided that they have been granted those permissions. You are also permitting principals to use the ALTER and DROP commands on Data Catalog tables that point to the location, provided that they have been granted those permissions.

When granting data location permissions to external AWS accounts or organizations, you are permitting the data lake administrator in external accounts to use the ALTER and DROP commands on tables that point to the location, provided that you also granted the administrator those cross-account permissions. The data lake administrator in the external account can in turn grant those permissions to other principals in the external account. Included in the ALTER permission is the ability to create, update, and delete partitions in tables.

Lake Formation does not use the AWS Resource Access Manager (AWS RAM) service for data location permission grants, so you don't need to accept resource share invitations for data location permissions.

You can grant data location permissions by using the AWS Lake Formation console, API, or AWS Command Line Interface (AWS CLI).

Note

For a grant to succeed, you must first register the data location with Lake Formation.