Granting Table Permissions (Same Account) - AWS Lake Formation

Granting Table Permissions (Same Account)

Follow these steps to grant AWS Lake Formation permissions on one or more tables to a principal in your AWS account. You can grant permissions by using the Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).

To grant table permissions (same account, console)

  1. Open the AWS Lake Formation console at https://console.aws.amazon.com/lakeformation/, and sign in as a data lake administrator, the table creator, or user who has been granted permissions with the grant option on the table.

  2. Do one of the following:

    • In the navigation pane, choose Data permissions, and then choose Grant.

    • In the navigation pane, choose Tables. Then on the Tables page, select a table, and on the Actions menu, under Permissions, choose Grant.

      This is the quicker method because you don't have to select a database and table in the Grant permissions dialog box. However, if you want to grant permissions on all tables in a database, use the other method.

    Note

    You can grant permissions on a table through its resource link. To do so, on the Tables page, select a resource link, and on the Actions menu, choose Grant on target. To grant permissions on the resource link itself, see Granting Resource Link Permissions.

  3. In the Grant permissions dialog box, ensure that the My account tile is selected. Then provide the following information:

    • For IAM users and roles, choose one or more principals.

    • For SAML and Amazon QuickSight users and groups, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML or ARNs for Amazon QuickSight users or groups.

      Enter one ARN at a time, and press Enter after each ARN. For information about how to construct the ARNs, see Lake Formation Grant and Revoke AWS CLI Commands.

      Note

      Lake Formation integration with Amazon QuickSight is supported for Amazon QuickSight Enterprise Edition only.

    • If the Database field is present, choose the database that contains the tables.

      The tables list populates.

    • If the Table field is present, choose one or more tables, or * All tables.

    • (Optional) For Column, choose a filter type (Include columns or Exclude columns), and then choose one or more columns to include or exclude.

      Note

      The columns options are available only if you choose one table. The only permission that you can grant when columns are included or excluded is SELECT.

    • For Table permissions, select the permissions that you want to grant.

    • (Optional) For Grantable permissions, select the permissions that you want the principal to be able to grant to others.

    
                In the Grant Permissions dialog box, the radio button "My account" is
                  selected. A principal, database, and table are specified, and the permission
                  SELECT is being granted.
  4. Choose Grant.

Note

If you grant the ALTER permission on a table that has its underlying data in a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see Granting Data Location Permissions.

To grant table permissions (same account, AWS CLI)

  • Run the grant-permissions command, specifying a metadata table as the resource.

    This example grants SELECT and INSERT to user datalake_user1 on the table inventory in the database retail in AWS account 1111-2222-3333.

    aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "SELECT" "INSERT" --resource '{ "Table": {"DatabaseName":"retail", "Name":"inventory"}}'

    The next example grants SELECT with the grant option on all tables in database retail.

    aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "SELECT" --permissions-with-grant-option "SELECT" --resource '{ "Table": { "DatabaseName": "retail", "TableWildcard": {} } }'

    For more examples, see Lake Formation Permissions Reference.

Note

If you grant the ALTER permission on a table that has its underlying data in a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see Granting Data Location Permissions.