Granting Table Permissions (External Account) - AWS Lake Formation

Granting Table Permissions (External Account)

Follow these steps to grant AWS Lake Formation permissions on one or more tables in a database to an external AWS account, organization, or organizational unit. By granting cross-account permissions on a table, you are automatically sharing that table.

You can grant permissions by using the Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).

Before You Begin

Ensure that all cross-account access prerequisites are satisfied. For more information, see Cross-Account Access Prerequisites.

To grant table permissions (external account, console)

  1. Open the AWS Lake Formation console at https://console.aws.amazon.com/lakeformation/. Sign in as a user who has the AWSLakeFormationCrossAccountManager AWS managed policy attached. This is one of the recommended policies for the data lake administrator, but any user can attach this policy to grant cross-account permissions.

  2. Do one of the following:

    • In the navigation pane, choose Data permissions, and then choose Grant.

    • In the navigation pane, choose Tables. Then on the Tables page, select a table, and on the Actions menu, under Permissions, choose Grant.

      This is the quicker method, because you don't have to select a database and table in the Grant permissions dialog box. However, if you want to grant permissions on all tables in a database, use the other method.

    Note

    You can grant permissions on a table through its resource link. To do so, on the Tables page, select a resource link, and on the Actions menu, choose Grant on target. To grant permissions on the resource link itself, see Granting Resource Link Permissions.

  3. In the Grant permissions dialog box, choose the External account tile.

  4. Provide the following information:

    • For AWS account ID or AWS organization ID, enter one or more valid AWS account IDs, organization IDs, or organizational unit IDs.

      Press Enter after each ID.

      An organization ID consists of "o-" followed by 10 to 32 lower-case letters or digits.

      An organizational unit ID consists of "ou-" followed by 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and 8 to 32 additional lowercase letters or digits.

    • If the Database field is present, choose the database in your AWS account that contains the tables to grant cross-account permissions on. The tables list populates.

    • If the Table field is present, select one or more tables, or * All tables.

    • For Table permissions, select the permissions that you want to grant, and ensure that the same permissions under Grantable permissions are selected.

      By selecting the grant option on the permissions, you enable the data lake administrator in the external account to grant permissions on the tables to other principals in the external account.

      You can grant any of the Lake Formation table permissions to other AWS accounts. If you grant the ALTER or DROP permissions, be sure to also grant cross-account data location permissions to the principals. For more information, see Granting Data Location Permissions.

    
                In the Grant Permissions dialog box, the radio button "External account" is
                  selected. An AWS account, database, and table are specified, and the permission
                  SELECT is being granted with the grant option.
  5. Choose Grant.

Note

If you grant the ALTER permission on a table that has its underlying data in a registered location, be sure to also grant data location permissions on the location to the external account. For more information, see Granting Data Location Permissions.

To grant table permissions (external account, AWS CLI)

  • Enter commands similar to the following examples.

    • Grant SELECT with the grant option on the table agents in the database issues to account 1111-2222-3333.

      aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "SELECT" --permissions-with-grant-option "SELECT" --resource '{ "Table": { "DatabaseName": "issues", "Name": "agents" }}'
    • Grant SELECT with the grant option on all tables in the database clinical-trials to account 1111-2222-3333. The keyword TableWildcard is used in place of a table name.

      aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "SELECT" --permissions-with-grant-option "SELECT" --resource '{ "Table": { "DatabaseName": "clinical-trials", "TableWildcard": {} } }'
    • Grant SELECT with the grant option on the table agents in the database issues to the organization o-abcdefghijkl.

      aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:organizations::111122223333:organization/o-abcdefghijkl --permissions "SELECT" --permissions-with-grant-option "SELECT" --resource '{ "Table": { "DatabaseName": "issues", "Name": "agents" }}'
    • Grant SELECT with the grant option on the table agents in the database issues to the organizational unit ou-ab00-cdefghij in organization o-abcdefghijkl.

      aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:organizations::111122223333:ou/o-abcdefghijkl/ou-ab00-cdefghij --permissions "SELECT" --permissions-with-grant-option "SELECT" --resource '{ "Table": { "DatabaseName": "issues", "Name": "agents" }}'
Note

If you grant the ALTER permission on a table that has its underlying data in a registered location, be sure to also grant data location permissions on the location to the external account. For more information, see Granting Data Location Permissions.