AWS Lake Formation
Developer Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Granting Lake Formation Permissions

AWS Lake Formation requires that each principal (user or role) be authorized to perform specific actions on Lake Formation managed resources. A principal is granted the necessary authorizations by the data lake administrator or another principal with the permissions to grant permissions.

When you grant a permission to a principal, you can optionally grant the ability to pass that permission to another principal. Resources in Lake Formation include the Data Catalog, catalog databases and tables, and Amazon S3 data locations.

You can use the Lake Formation API or the Data permissions and Data locations pages of the Lake Formation console to grant and revoke Lake Formation permissions.

There are three types of permissions in Lake Formation that you explicitly grant: Data Catalog permissions, data location permissions, and data access permissions. In addition, some Lake Formation permissions are implicitly granted as a result of explicit grants or other actions, such as creating a Data Catalog database or table.

Data Catalog permissions

The Data Catalog stores metadata about source data and the data contained in your data lakes. The metadata is organized as databases and tables. Metadata tables point to the underlying data stored in Amazon S3 and other locations. Databases are collections of metadata tables. Data Catalog permissions grant the ability to create, edit, and delete databases and tables. Examples of Data Catalog permissions are CREATE_DATABASE and CREATE_TABLE. For more information, see Data Catalog Permissions.

Data location permissions

A data location is an Amazon S3 path where your data is stored. To create a catalog database or table that has underlying data at a location, a principal needs location permissions on that location. For more information, see Data Location Permissions.

Data access permissions

To read and write the underlying data of a catalog table, a principal needs data access permissions on that table. Examples of data access permissions are SELECT and INSERT. For more information, see Data Access Permissions.

Implicit permissions

Explicit grants of certain Data Catalog permissions effect implicit grants of additional Lake Formation permissions. Performing certain other Lake Formation tasks, such as creating a database, also result in implicit grants. For more information, see Implicit Permissions